Heap Use-After-Free Vulnerability in Oj JSON Parser by Ohler55
CVE-2026-54898
2.1LOW
What is CVE-2026-54898?
The Oj JSON parser, packaged as a Ruby gem by Ohler55, exhibits a heap use-after-free vulnerability in versions prior to 3.17.2. This vulnerability is triggered when a SAJ/SAJ2 callback modifies the input JSON string during parsing. Specifically, the C engine retains a pointer to the Ruby string’s internal buffer. If a callback operation like hash_start expands the string—possibly by invoking String#replace with a longer string—Ruby reallocates the buffer, leading to the previous pointer becoming a dangling reference. Consequently, this can result in reading memory that has already been freed when the parser attempts to process the next character. The issue has been remediated in version 3.17.2.
Affected Version(s)
oj < 3.17.2
