Heap Use-After-Free Vulnerability in Oj JSON Parser by Optimized JSON
CVE-2026-54897

2.1LOW

Key Information:

Vendor

Ohler55

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-54897?

The 'Oj' (Optimized JSON) parser, a widely used JSON parser and object marshaller in the Ruby ecosystem, is affected by a heap use-after-free vulnerability in versions preceding 3.17.2. This vulnerability arises when iterators such as each_value, each_child, and each_leaf are executed in Ruby. If a Ruby block invokes a method that closes the document (doc.close or d.close) while the iterator is active, it leads to the freeing of the heap memory allocated for the document. Subsequently, when control returns to the iterator, it attempts to read from the now-freed memory space, causing undefined behavior and potential security risks. Users are strongly advised to upgrade to version 3.17.2 or later to mitigate this issue. For further details on the vulnerability, visit GitHub Advisory.

Affected Version(s)

oj < 3.17.2

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.