Oj Gem (< 3.17.2) - CraftedSignal Threat Feed

Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close

hello@craftedsignal.io — Fri, 19 Jun 2026 19:56:18 +0000

A critical heap use-after-free vulnerability, identified as CVE-2026-54897, affects the Oj::Doc iterators within the oj Ruby gem. Specifically, the each_value, each_child, and each_leaf methods are vulnerable. The issue arises when a Ruby block, executed during the iteration process, makes a reentrant call to doc.close or d.close on the document or one of its child nodes. This premature closing operation frees the associated heap memory while the underlying C iterator in ext/oj/fast.c is still active. Upon returning from the Ruby block, the C code attempts to access memory that has already been deallocated, leading to a use-after-free condition. This vulnerability, present in all oj gem versions utilizing ext/oj/fast.c (confirmed up to v3.17.1), can be triggered from pure Ruby code and results in application instability, crashes, or potential arbitrary code execution. Organizations running Ruby applications that parse JSON via the oj gem are at risk.

Attack Chain

A Ruby application integrates and uses the oj gem for JSON data processing.
The application opens a JSON document for parsing using the Oj::Doc.open method.
The application initiates an iteration over the document's elements using a vulnerable iterator method such as each_value, each_child, or each_leaf, providing a Ruby block for processing.
During the execution of the yielded Ruby block, a call is inadvertently made to doc.close or d.close on the Oj::Doc instance or one of its child nodes.
This close operation triggers the ruby_sized_xfree function within the ext/oj/fast.c source, leading to the premature deallocation of the underlying heap memory buffer associated with the Oj::Doc object.
Control returns from the Ruby block to the original C iterator function in ext/oj/fast.c (e.g., doc_each_child).
The C iterator attempts to access or dereference pointers (like cur->next) that point to the heap memory region which was previously freed in step 5.
This access to deallocated memory results in a use-after-free condition, manifesting as application crashes, segmentation faults, or unpredictable program behavior.

Impact

The primary impact of CVE-2026-54897 is application instability and denial-of-service via crashing. Applications utilizing the vulnerable oj gem can be forced to terminate unexpectedly, leading to service disruption. Depending on the memory layout and the specific memory contents at the time of the use-after-free, this vulnerability could potentially be exploited for arbitrary code execution, though this has not been specifically detailed in the advisory. This could compromise the integrity and confidentiality of data processed by the Ruby application. Any Ruby application that handles untrusted JSON input and uses the vulnerable oj gem iterations is at risk.

Recommendation

Upgrade the oj gem to version 3.17.2 or later immediately to patch CVE-2026-54897.
Review application code for instances where doc.close or d.close might be called reentrantly within Oj::Doc iterator blocks, as described in the overview.
Deploy the Detects Ruby Process Access Violation (Windows) Sigma rule to monitor for unusual crashes in Ruby applications.
Deploy the Detects Ruby Process Segmentation Fault (Linux) Sigma rule to monitor for crashes in Ruby applications on Linux systems.

Stack Buffer Overflow in Oj Ruby Gem (CVE-2026-54502)

hello@craftedsignal.io — Fri, 19 Jun 2026 19:47:47 +0000

An attacker can exploit a critical stack-based buffer overflow vulnerability, identified as CVE-2026-54502, within the Oj.dump function of the Oj Ruby gem. This vulnerability affects all versions of the Oj gem prior to 3.17.2. The flaw stems from insufficient input validation of the :indent parameter; when an application passes an extremely large integer value (such as INT_MAX, 2,147,483,647) to this parameter, the internal fill_indent function in ext/oj/dump.h calls memset without proper size checks. This leads to an attempt to write gigabytes of data into a small, stack-allocated buffer, corrupting the process's stack and resulting in an immediate denial of service through a crash. If exploited precisely, this could also enable remote code execution, posing a significant risk to the availability and integrity of Ruby applications using the vulnerable gem.

Attack Chain

Initial Access: An attacker identifies a Ruby application utilizing a vulnerable Oj gem version (prior to 3.17.2) and exposing a parameter or input field that directly or indirectly controls the indent argument for the Oj.dump function. This could be a web API endpoint, a file processing service, or another untrusted input vector.
Input Provision: The attacker crafts a request (e.g., an HTTP GET/POST parameter, an API call payload, or a crafted data file) containing an excessively large integer value (such as 2,147,483,647 representing INT_MAX) for the indent parameter.
Application Processing: The vulnerable Ruby application receives and processes this malicious input, passing the large integer value to the Oj.dump function's indent option without adequate validation.
Vulnerable Function Call: Internally, Oj.dump invokes its C extension fill_indent function (located in ext/oj/dump.h), which receives the large indent value.
Buffer Overflow: Within fill_indent, the memset function is called with the attacker-controlled large size, causing it to attempt to write gigabytes of data ((size_t)opts->indent * depth) into a much smaller, fixed-size stack-allocated out buffer (approximately 4KB).
Stack Corruption and Crash: This massive write operation overflows the out buffer, severely corrupting the stack memory of the Ruby process.
Denial of Service: The stack corruption immediately triggers an abnormal termination of the Ruby application process, leading to a denial of service for the affected service or application.
Potential Code Execution: In specific, carefully crafted scenarios, this stack corruption could potentially be leveraged to overwrite critical program control flow data (e.g., return addresses), allowing the attacker to achieve arbitrary code execution within the context of the vulnerable Ruby process.

Impact

Successful exploitation of CVE-2026-54502 primarily leads to a denial of service (DoS) for Ruby applications relying on the vulnerable Oj gem, causing immediate process crashes and service unavailability. Depending on the application's design, this can severely impact business operations and user access. In more sophisticated attack scenarios, the stack-based buffer overflow might be exploited to achieve arbitrary remote code execution (RCE). If RCE is successful, attackers could compromise the underlying server, execute commands with the privileges of the Ruby process, exfiltrate sensitive data, or establish further persistence within the environment, leading to significant data breaches, system compromise, and financial losses.

Recommendation

Patch CVE-2026-54502 immediately by upgrading the oj gem to version 3.17.2 or later in all affected Ruby applications.
Deploy the webserver Sigma rule "Detect CVE-2026-54502 Exploitation Attempt - Large Oj.dump Indent" in this brief to your SIEM to identify attempts at exploiting this vulnerability.
Implement robust input validation for all user-supplied data, particularly for parameters that influence data formatting or transformation, to prevent excessively large integer values from reaching sensitive functions.
Deploy the process creation Sigma rules "Detect Ruby Process Spawning Suspicious Child Process (Windows)" and "Detect Ruby Process Spawning Suspicious Child Process (Linux)" to monitor for potential remote code execution payloads from Ruby processes.