Heap Corruption Vulnerability in Oj Ruby Gem by Ohler55
CVE-2026-54900

6.3MEDIUM

Key Information:

Vendor

Ohler55

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-54900?

The Oj Ruby gem, a JSON parser and object marshaller, is susceptible to a heap corruption issue when using create_id enabled with JSON object keys of exactly 65,535 bytes. This flaw arises from an integer truncation during the parsing process, leading to a negative-size argument being passed to the memcpy function. Consequently, this results in an attempt to copy an excessive amount of memory, potentially corrupting the heap and causing crashes. The vulnerability is addressed in version 3.17.2 of the Oj gem.

Affected Version(s)

oj < 3.17.2

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.