Heap Use-After-Free Vulnerability in Oj JSON Parser from Ohler55
CVE-2026-54899

6.3MEDIUM

Key Information:

Vendor

Ohler55

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-54899?

The Oj JSON Parser, prior to version 3.17.2, encounters a heap use-after-free issue when the symbol_keys option is disabled on a reused Oj::Parser instance. Specifically, when symbol_keys is switched from true to false, the internal key cache is freed without properly clearing the pointer, leading to potential reading from freed memory during subsequent parse calls. This critical flaw has been addressed in version 3.17.2.

Affected Version(s)

oj < 3.17.2

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.