{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/oj-gem--3.17.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["oj gem (\u003c 3.17.2)"],"_cs_severities":["high"],"_cs_tags":["ruby","use-after-free","library-vulnerability","dos"],"_cs_type":"advisory","_cs_vendors":["Oj"],"content_html":"\u003cp\u003eA critical heap use-after-free vulnerability, identified as CVE-2026-54897, affects the \u003ccode\u003eOj::Doc\u003c/code\u003e iterators within the \u003ccode\u003eoj\u003c/code\u003e Ruby gem. Specifically, the \u003ccode\u003eeach_value\u003c/code\u003e, \u003ccode\u003eeach_child\u003c/code\u003e, and \u003ccode\u003eeach_leaf\u003c/code\u003e methods are vulnerable. The issue arises when a Ruby block, executed during the iteration process, makes a reentrant call to \u003ccode\u003edoc.close\u003c/code\u003e or \u003ccode\u003ed.close\u003c/code\u003e on the document or one of its child nodes. This premature closing operation frees the associated heap memory while the underlying C iterator in \u003ccode\u003eext/oj/fast.c\u003c/code\u003e is still active. Upon returning from the Ruby block, the C code attempts to access memory that has already been deallocated, leading to a use-after-free condition. This vulnerability, present in all \u003ccode\u003eoj\u003c/code\u003e gem versions utilizing \u003ccode\u003eext/oj/fast.c\u003c/code\u003e (confirmed up to v3.17.1), can be triggered from pure Ruby code and results in application instability, crashes, or potential arbitrary code execution. Organizations running Ruby applications that parse JSON via the \u003ccode\u003eoj\u003c/code\u003e gem are at risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA Ruby application integrates and uses the \u003ccode\u003eoj\u003c/code\u003e gem for JSON data processing.\u003c/li\u003e\n\u003cli\u003eThe application opens a JSON document for parsing using the \u003ccode\u003eOj::Doc.open\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe application initiates an iteration over the document's elements using a vulnerable iterator method such as \u003ccode\u003eeach_value\u003c/code\u003e, \u003ccode\u003eeach_child\u003c/code\u003e, or \u003ccode\u003eeach_leaf\u003c/code\u003e, providing a Ruby block for processing.\u003c/li\u003e\n\u003cli\u003eDuring the execution of the yielded Ruby block, a call is inadvertently made to \u003ccode\u003edoc.close\u003c/code\u003e or \u003ccode\u003ed.close\u003c/code\u003e on the \u003ccode\u003eOj::Doc\u003c/code\u003e instance or one of its child nodes.\u003c/li\u003e\n\u003cli\u003eThis \u003ccode\u003eclose\u003c/code\u003e operation triggers the \u003ccode\u003eruby_sized_xfree\u003c/code\u003e function within the \u003ccode\u003eext/oj/fast.c\u003c/code\u003e source, leading to the premature deallocation of the underlying heap memory buffer associated with the \u003ccode\u003eOj::Doc\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eControl returns from the Ruby block to the original C iterator function in \u003ccode\u003eext/oj/fast.c\u003c/code\u003e (e.g., \u003ccode\u003edoc_each_child\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe C iterator attempts to access or dereference pointers (like \u003ccode\u003ecur-\u0026gt;next\u003c/code\u003e) that point to the heap memory region which was previously freed in step 5.\u003c/li\u003e\n\u003cli\u003eThis access to deallocated memory results in a use-after-free condition, manifesting as application crashes, segmentation faults, or unpredictable program behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-54897 is application instability and denial-of-service via crashing. Applications utilizing the vulnerable \u003ccode\u003eoj\u003c/code\u003e gem can be forced to terminate unexpectedly, leading to service disruption. Depending on the memory layout and the specific memory contents at the time of the use-after-free, this vulnerability could potentially be exploited for arbitrary code execution, though this has not been specifically detailed in the advisory. This could compromise the integrity and confidentiality of data processed by the Ruby application. Any Ruby application that handles untrusted JSON input and uses the vulnerable \u003ccode\u003eoj\u003c/code\u003e gem iterations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eoj\u003c/code\u003e gem to version 3.17.2 or later immediately to patch CVE-2026-54897.\u003c/li\u003e\n\u003cli\u003eReview application code for instances where \u003ccode\u003edoc.close\u003c/code\u003e or \u003ccode\u003ed.close\u003c/code\u003e might be called reentrantly within \u003ccode\u003eOj::Doc\u003c/code\u003e iterator blocks, as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetects Ruby Process Access Violation (Windows)\u003c/code\u003e Sigma rule to monitor for unusual crashes in Ruby applications.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetects Ruby Process Segmentation Fault (Linux)\u003c/code\u003e Sigma rule to monitor for crashes in Ruby applications on Linux systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T19:56:18Z","date_published":"2026-06-19T19:56:18Z","id":"https://feed.craftedsignal.io/briefs/2026-06-oj-use-after-free/","summary":"A heap use-after-free vulnerability (CVE-2026-54897) exists in `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) in the `oj` Ruby gem, allowing an attacker to cause application crashes or unpredictable behavior when a Ruby block yielded during iteration reentrantly calls `doc.close` or `d.close`.","title":"Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close","url":"https://feed.craftedsignal.io/briefs/2026-06-oj-use-after-free/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["oj gem (\u003c 3.17.2)"],"_cs_severities":["high"],"_cs_tags":["overflow","ruby","gem","denial-of-service","remote-code-execution","application-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAn attacker can exploit a critical stack-based buffer overflow vulnerability, identified as CVE-2026-54502, within the \u003ccode\u003eOj.dump\u003c/code\u003e function of the \u003ccode\u003eOj\u003c/code\u003e Ruby gem. This vulnerability affects all versions of the \u003ccode\u003eOj\u003c/code\u003e gem prior to \u003ccode\u003e3.17.2\u003c/code\u003e. The flaw stems from insufficient input validation of the \u003ccode\u003e:indent\u003c/code\u003e parameter; when an application passes an extremely large integer value (such as \u003ccode\u003eINT_MAX\u003c/code\u003e, 2,147,483,647) to this parameter, the internal \u003ccode\u003efill_indent\u003c/code\u003e function in \u003ccode\u003eext/oj/dump.h\u003c/code\u003e calls \u003ccode\u003ememset\u003c/code\u003e without proper size checks. This leads to an attempt to write gigabytes of data into a small, stack-allocated buffer, corrupting the process's stack and resulting in an immediate denial of service through a crash. If exploited precisely, this could also enable remote code execution, posing a significant risk to the availability and integrity of Ruby applications using the vulnerable gem.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker identifies a Ruby application utilizing a vulnerable \u003ccode\u003eOj\u003c/code\u003e gem version (prior to 3.17.2) and exposing a parameter or input field that directly or indirectly controls the \u003ccode\u003eindent\u003c/code\u003e argument for the \u003ccode\u003eOj.dump\u003c/code\u003e function. This could be a web API endpoint, a file processing service, or another untrusted input vector.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInput Provision\u003c/strong\u003e: The attacker crafts a request (e.g., an HTTP GET/POST parameter, an API call payload, or a crafted data file) containing an excessively large integer value (such as \u003ccode\u003e2,147,483,647\u003c/code\u003e representing \u003ccode\u003eINT_MAX\u003c/code\u003e) for the \u003ccode\u003eindent\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Processing\u003c/strong\u003e: The vulnerable Ruby application receives and processes this malicious input, passing the large integer value to the \u003ccode\u003eOj.dump\u003c/code\u003e function's \u003ccode\u003eindent\u003c/code\u003e option without adequate validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Function Call\u003c/strong\u003e: Internally, \u003ccode\u003eOj.dump\u003c/code\u003e invokes its C extension \u003ccode\u003efill_indent\u003c/code\u003e function (located in \u003ccode\u003eext/oj/dump.h\u003c/code\u003e), which receives the large \u003ccode\u003eindent\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBuffer Overflow\u003c/strong\u003e: Within \u003ccode\u003efill_indent\u003c/code\u003e, the \u003ccode\u003ememset\u003c/code\u003e function is called with the attacker-controlled large size, causing it to attempt to write gigabytes of data (\u003ccode\u003e(size_t)opts-\u0026gt;indent * depth\u003c/code\u003e) into a much smaller, fixed-size stack-allocated \u003ccode\u003eout\u003c/code\u003e buffer (approximately 4KB).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStack Corruption and Crash\u003c/strong\u003e: This massive write operation overflows the \u003ccode\u003eout\u003c/code\u003e buffer, severely corrupting the stack memory of the Ruby process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: The stack corruption immediately triggers an abnormal termination of the Ruby application process, leading to a denial of service for the affected service or application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Code Execution\u003c/strong\u003e: In specific, carefully crafted scenarios, this stack corruption could potentially be leveraged to overwrite critical program control flow data (e.g., return addresses), allowing the attacker to achieve arbitrary code execution within the context of the vulnerable Ruby process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54502 primarily leads to a denial of service (DoS) for Ruby applications relying on the vulnerable \u003ccode\u003eOj\u003c/code\u003e gem, causing immediate process crashes and service unavailability. Depending on the application's design, this can severely impact business operations and user access. In more sophisticated attack scenarios, the stack-based buffer overflow might be exploited to achieve arbitrary remote code execution (RCE). If RCE is successful, attackers could compromise the underlying server, execute commands with the privileges of the Ruby process, exfiltrate sensitive data, or establish further persistence within the environment, leading to significant data breaches, system compromise, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54502 immediately by upgrading the \u003ccode\u003eoj\u003c/code\u003e gem to version 3.17.2 or later in all affected Ruby applications.\u003c/li\u003e\n\u003cli\u003eDeploy the webserver Sigma rule \u0026quot;Detect CVE-2026-54502 Exploitation Attempt - Large Oj.dump Indent\u0026quot; in this brief to your SIEM to identify attempts at exploiting this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation for all user-supplied data, particularly for parameters that influence data formatting or transformation, to prevent excessively large integer values from reaching sensitive functions.\u003c/li\u003e\n\u003cli\u003eDeploy the process creation Sigma rules \u0026quot;Detect Ruby Process Spawning Suspicious Child Process (Windows)\u0026quot; and \u0026quot;Detect Ruby Process Spawning Suspicious Child Process (Linux)\u0026quot; to monitor for potential remote code execution payloads from Ruby processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T19:47:47Z","date_published":"2026-06-19T19:47:47Z","id":"https://feed.craftedsignal.io/briefs/2026-06-stack-buffer-overflow-oj-gem/","summary":"The `Oj.dump` function in the `Oj` Ruby gem is vulnerable to a stack-based buffer overflow (CVE-2026-54502) due to improper validation of the `:indent` parameter, allowing an attacker to trigger a process crash or potentially remote code execution by providing an excessively large integer value, affecting all `Oj` gem versions prior to `3.17.2`.","title":"Stack Buffer Overflow in Oj Ruby Gem (CVE-2026-54502)","url":"https://feed.craftedsignal.io/briefs/2026-06-stack-buffer-overflow-oj-gem/"}],"language":"en","title":"CraftedSignal Threat Feed - Oj Gem (\u003c 3.17.2)","version":"https://jsonfeed.org/version/1.1"}