{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/gem/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["oj gem (\u003c 3.17.2)"],"_cs_severities":["high"],"_cs_tags":["overflow","ruby","gem","denial-of-service","remote-code-execution","application-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAn attacker can exploit a critical stack-based buffer overflow vulnerability, identified as CVE-2026-54502, within the \u003ccode\u003eOj.dump\u003c/code\u003e function of the \u003ccode\u003eOj\u003c/code\u003e Ruby gem. This vulnerability affects all versions of the \u003ccode\u003eOj\u003c/code\u003e gem prior to \u003ccode\u003e3.17.2\u003c/code\u003e. The flaw stems from insufficient input validation of the \u003ccode\u003e:indent\u003c/code\u003e parameter; when an application passes an extremely large integer value (such as \u003ccode\u003eINT_MAX\u003c/code\u003e, 2,147,483,647) to this parameter, the internal \u003ccode\u003efill_indent\u003c/code\u003e function in \u003ccode\u003eext/oj/dump.h\u003c/code\u003e calls \u003ccode\u003ememset\u003c/code\u003e without proper size checks. This leads to an attempt to write gigabytes of data into a small, stack-allocated buffer, corrupting the process's stack and resulting in an immediate denial of service through a crash. If exploited precisely, this could also enable remote code execution, posing a significant risk to the availability and integrity of Ruby applications using the vulnerable gem.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker identifies a Ruby application utilizing a vulnerable \u003ccode\u003eOj\u003c/code\u003e gem version (prior to 3.17.2) and exposing a parameter or input field that directly or indirectly controls the \u003ccode\u003eindent\u003c/code\u003e argument for the \u003ccode\u003eOj.dump\u003c/code\u003e function. This could be a web API endpoint, a file processing service, or another untrusted input vector.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInput Provision\u003c/strong\u003e: The attacker crafts a request (e.g., an HTTP GET/POST parameter, an API call payload, or a crafted data file) containing an excessively large integer value (such as \u003ccode\u003e2,147,483,647\u003c/code\u003e representing \u003ccode\u003eINT_MAX\u003c/code\u003e) for the \u003ccode\u003eindent\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Processing\u003c/strong\u003e: The vulnerable Ruby application receives and processes this malicious input, passing the large integer value to the \u003ccode\u003eOj.dump\u003c/code\u003e function's \u003ccode\u003eindent\u003c/code\u003e option without adequate validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Function Call\u003c/strong\u003e: Internally, \u003ccode\u003eOj.dump\u003c/code\u003e invokes its C extension \u003ccode\u003efill_indent\u003c/code\u003e function (located in \u003ccode\u003eext/oj/dump.h\u003c/code\u003e), which receives the large \u003ccode\u003eindent\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBuffer Overflow\u003c/strong\u003e: Within \u003ccode\u003efill_indent\u003c/code\u003e, the \u003ccode\u003ememset\u003c/code\u003e function is called with the attacker-controlled large size, causing it to attempt to write gigabytes of data (\u003ccode\u003e(size_t)opts-\u0026gt;indent * depth\u003c/code\u003e) into a much smaller, fixed-size stack-allocated \u003ccode\u003eout\u003c/code\u003e buffer (approximately 4KB).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStack Corruption and Crash\u003c/strong\u003e: This massive write operation overflows the \u003ccode\u003eout\u003c/code\u003e buffer, severely corrupting the stack memory of the Ruby process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: The stack corruption immediately triggers an abnormal termination of the Ruby application process, leading to a denial of service for the affected service or application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Code Execution\u003c/strong\u003e: In specific, carefully crafted scenarios, this stack corruption could potentially be leveraged to overwrite critical program control flow data (e.g., return addresses), allowing the attacker to achieve arbitrary code execution within the context of the vulnerable Ruby process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54502 primarily leads to a denial of service (DoS) for Ruby applications relying on the vulnerable \u003ccode\u003eOj\u003c/code\u003e gem, causing immediate process crashes and service unavailability. Depending on the application's design, this can severely impact business operations and user access. In more sophisticated attack scenarios, the stack-based buffer overflow might be exploited to achieve arbitrary remote code execution (RCE). If RCE is successful, attackers could compromise the underlying server, execute commands with the privileges of the Ruby process, exfiltrate sensitive data, or establish further persistence within the environment, leading to significant data breaches, system compromise, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54502 immediately by upgrading the \u003ccode\u003eoj\u003c/code\u003e gem to version 3.17.2 or later in all affected Ruby applications.\u003c/li\u003e\n\u003cli\u003eDeploy the webserver Sigma rule \u0026quot;Detect CVE-2026-54502 Exploitation Attempt - Large Oj.dump Indent\u0026quot; in this brief to your SIEM to identify attempts at exploiting this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation for all user-supplied data, particularly for parameters that influence data formatting or transformation, to prevent excessively large integer values from reaching sensitive functions.\u003c/li\u003e\n\u003cli\u003eDeploy the process creation Sigma rules \u0026quot;Detect Ruby Process Spawning Suspicious Child Process (Windows)\u0026quot; and \u0026quot;Detect Ruby Process Spawning Suspicious Child Process (Linux)\u0026quot; to monitor for potential remote code execution payloads from Ruby processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T19:47:47Z","date_published":"2026-06-19T19:47:47Z","id":"https://feed.craftedsignal.io/briefs/2026-06-stack-buffer-overflow-oj-gem/","summary":"The `Oj.dump` function in the `Oj` Ruby gem is vulnerable to a stack-based buffer overflow (CVE-2026-54502) due to improper validation of the `:indent` parameter, allowing an attacker to trigger a process crash or potentially remote code execution by providing an excessively large integer value, affecting all `Oj` gem versions prior to `3.17.2`.","title":"Stack Buffer Overflow in Oj Ruby Gem (CVE-2026-54502)","url":"https://feed.craftedsignal.io/briefs/2026-06-stack-buffer-overflow-oj-gem/"}],"language":"en","title":"CraftedSignal Threat Feed - Gem","version":"https://jsonfeed.org/version/1.1"}