Heap Use-After-Free Vulnerability in Oj JSON Parser from Ohler55
CVE-2026-54899
6.3MEDIUM
What is CVE-2026-54899?
The Oj JSON Parser, prior to version 3.17.2, encounters a heap use-after-free issue when the symbol_keys option is disabled on a reused Oj::Parser instance. Specifically, when symbol_keys is switched from true to false, the internal key cache is freed without properly clearing the pointer, leading to potential reading from freed memory during subsequent parse calls. This critical flaw has been addressed in version 3.17.2.
Affected Version(s)
oj < 3.17.2
