{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/oj/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["oj gem"],"_cs_severities":["high"],"_cs_tags":["ruby","vulnerability","heap-overflow"],"_cs_type":"advisory","_cs_vendors":["Oj"],"content_html":"\u003cp\u003eThe \u003ccode\u003eoj\u003c/code\u003e Ruby gem, specifically its \u003ccode\u003eOj.dump\u003c/code\u003e function in object serialization mode, is affected by a heap buffer overflow vulnerability, identified as CVE-2026-54896. This flaw impacts all versions of the gem that include the \u003ccode\u003eext/oj/dump.h\u003c/code\u003e component, up to and including version 3.17.1. The vulnerability occurs when an application attempts to serialize an \u003ccode\u003eException\u003c/code\u003e object using \u003ccode\u003eOj.dump\u003c/code\u003e with a particularly large \u003ccode\u003e:indent\u003c/code\u003e value (e.g., 5000). The underlying C implementation pre-allocates a buffer based on the object's attributes but fails to account for the substantial additional memory required by the indent string, leading to repeated writes beyond the buffer's boundary. This memory corruption can result in application crashes, denial of service, or potentially enable arbitrary code execution. Defenders should prioritize patching and validating \u003ccode\u003eoj\u003c/code\u003e gem versions in their Ruby applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Input\u003c/strong\u003e: An attacker sends crafted JSON input to a vulnerable application that utilizes the \u003ccode\u003eoj\u003c/code\u003e gem.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObject Deserialization\u003c/strong\u003e: The application processes the attacker's input using \u003ccode\u003eOj.load\u003c/code\u003e in object mode, which creates a Ruby \u003ccode\u003eException\u003c/code\u003e object (e.g., \u003ccode\u003eRuntimeError\u003c/code\u003e) from the JSON.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Serialization Call\u003c/strong\u003e: A legitimate application component subsequently attempts to serialize this \u003ccode\u003eException\u003c/code\u003e object back to JSON using \u003ccode\u003eOj.dump\u003c/code\u003e, with an excessively large \u003ccode\u003e:indent\u003c/code\u003e value (e.g., 5000), which might be attacker-controlled or a misconfigured application setting.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInsufficient Buffer Allocation\u003c/strong\u003e: Internally, \u003ccode\u003eOj.dump\u003c/code\u003e (specifically \u003ccode\u003edump_obj_attrs\u003c/code\u003e) allocates a memory buffer for the serialization output, but this buffer's size is based on the object's attributes and does not adequately account for the combined size of the large indentation strings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHeap Buffer Overflow\u003c/strong\u003e: The \u003ccode\u003efill_indent\u003c/code\u003e function is repeatedly called during serialization to add indentation. When writing the large indent string (e.g., 5000 bytes) into the pre-allocated buffer, it exceeds the available space.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMemory Corruption and Impact\u003c/strong\u003e: This repeated out-of-bounds writing causes a heap buffer overflow, corrupting adjacent memory. This typically leads to a denial of service through an application crash or, in more advanced scenarios, could be leveraged for arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-54896 is memory corruption, leading to the affected Ruby application crashing and resulting in a denial of service. If an attacker can reliably control the execution flow after the overflow, it could potentially be escalated to remote code execution. Although no specific victim counts or targeted sectors have been disclosed, any Ruby application utilizing the \u003ccode\u003eoj\u003c/code\u003e gem in a manner that deserializes untrusted input and subsequently reserializes \u003ccode\u003eException\u003c/code\u003e objects with large indent values is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-54896\u003c/strong\u003e: Immediately upgrade the \u003ccode\u003eoj\u003c/code\u003e gem to version \u003ccode\u003e3.17.2\u003c/code\u003e or later to mitigate CVE-2026-54896.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Application-Level Controls\u003c/strong\u003e: Developers should ensure that user-controlled input does not dictate the \u003ccode\u003e:indent\u003c/code\u003e parameter for \u003ccode\u003eOj.dump\u003c/code\u003e calls and avoid using excessively large hardcoded indent values.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma Rules\u003c/strong\u003e: Deploy the provided Sigma rules to your SIEM solution to detect abnormal \u003ccode\u003eruby\u003c/code\u003e process terminations or crash dump creations, which may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Process Monitoring\u003c/strong\u003e: Ensure robust process creation and termination logging is enabled for Ruby applications (e.g., Sysmon on Windows, Auditd on Linux) to capture potential crash-related events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T19:57:25Z","date_published":"2026-06-19T19:57:25Z","id":"https://feed.craftedsignal.io/briefs/2026-06-oj-heap-buffer-overflow/","summary":"The `Oj.dump` function in the Ruby `oj` gem, when operating in object mode, is vulnerable to a heap buffer overflow (CVE-2026-54896) when serializing `Exception` objects with an excessively large `:indent` value, leading to memory corruption and potential denial of service or remote code execution.","title":"Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent (CVE-2026-54896)","url":"https://feed.craftedsignal.io/briefs/2026-06-oj-heap-buffer-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["oj gem (\u003c 3.17.2)"],"_cs_severities":["high"],"_cs_tags":["ruby","use-after-free","library-vulnerability","dos"],"_cs_type":"advisory","_cs_vendors":["Oj"],"content_html":"\u003cp\u003eA critical heap use-after-free vulnerability, identified as CVE-2026-54897, affects the \u003ccode\u003eOj::Doc\u003c/code\u003e iterators within the \u003ccode\u003eoj\u003c/code\u003e Ruby gem. Specifically, the \u003ccode\u003eeach_value\u003c/code\u003e, \u003ccode\u003eeach_child\u003c/code\u003e, and \u003ccode\u003eeach_leaf\u003c/code\u003e methods are vulnerable. The issue arises when a Ruby block, executed during the iteration process, makes a reentrant call to \u003ccode\u003edoc.close\u003c/code\u003e or \u003ccode\u003ed.close\u003c/code\u003e on the document or one of its child nodes. This premature closing operation frees the associated heap memory while the underlying C iterator in \u003ccode\u003eext/oj/fast.c\u003c/code\u003e is still active. Upon returning from the Ruby block, the C code attempts to access memory that has already been deallocated, leading to a use-after-free condition. This vulnerability, present in all \u003ccode\u003eoj\u003c/code\u003e gem versions utilizing \u003ccode\u003eext/oj/fast.c\u003c/code\u003e (confirmed up to v3.17.1), can be triggered from pure Ruby code and results in application instability, crashes, or potential arbitrary code execution. Organizations running Ruby applications that parse JSON via the \u003ccode\u003eoj\u003c/code\u003e gem are at risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA Ruby application integrates and uses the \u003ccode\u003eoj\u003c/code\u003e gem for JSON data processing.\u003c/li\u003e\n\u003cli\u003eThe application opens a JSON document for parsing using the \u003ccode\u003eOj::Doc.open\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe application initiates an iteration over the document's elements using a vulnerable iterator method such as \u003ccode\u003eeach_value\u003c/code\u003e, \u003ccode\u003eeach_child\u003c/code\u003e, or \u003ccode\u003eeach_leaf\u003c/code\u003e, providing a Ruby block for processing.\u003c/li\u003e\n\u003cli\u003eDuring the execution of the yielded Ruby block, a call is inadvertently made to \u003ccode\u003edoc.close\u003c/code\u003e or \u003ccode\u003ed.close\u003c/code\u003e on the \u003ccode\u003eOj::Doc\u003c/code\u003e instance or one of its child nodes.\u003c/li\u003e\n\u003cli\u003eThis \u003ccode\u003eclose\u003c/code\u003e operation triggers the \u003ccode\u003eruby_sized_xfree\u003c/code\u003e function within the \u003ccode\u003eext/oj/fast.c\u003c/code\u003e source, leading to the premature deallocation of the underlying heap memory buffer associated with the \u003ccode\u003eOj::Doc\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eControl returns from the Ruby block to the original C iterator function in \u003ccode\u003eext/oj/fast.c\u003c/code\u003e (e.g., \u003ccode\u003edoc_each_child\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe C iterator attempts to access or dereference pointers (like \u003ccode\u003ecur-\u0026gt;next\u003c/code\u003e) that point to the heap memory region which was previously freed in step 5.\u003c/li\u003e\n\u003cli\u003eThis access to deallocated memory results in a use-after-free condition, manifesting as application crashes, segmentation faults, or unpredictable program behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-54897 is application instability and denial-of-service via crashing. Applications utilizing the vulnerable \u003ccode\u003eoj\u003c/code\u003e gem can be forced to terminate unexpectedly, leading to service disruption. Depending on the memory layout and the specific memory contents at the time of the use-after-free, this vulnerability could potentially be exploited for arbitrary code execution, though this has not been specifically detailed in the advisory. This could compromise the integrity and confidentiality of data processed by the Ruby application. Any Ruby application that handles untrusted JSON input and uses the vulnerable \u003ccode\u003eoj\u003c/code\u003e gem iterations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eoj\u003c/code\u003e gem to version 3.17.2 or later immediately to patch CVE-2026-54897.\u003c/li\u003e\n\u003cli\u003eReview application code for instances where \u003ccode\u003edoc.close\u003c/code\u003e or \u003ccode\u003ed.close\u003c/code\u003e might be called reentrantly within \u003ccode\u003eOj::Doc\u003c/code\u003e iterator blocks, as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetects Ruby Process Access Violation (Windows)\u003c/code\u003e Sigma rule to monitor for unusual crashes in Ruby applications.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetects Ruby Process Segmentation Fault (Linux)\u003c/code\u003e Sigma rule to monitor for crashes in Ruby applications on Linux systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T19:56:18Z","date_published":"2026-06-19T19:56:18Z","id":"https://feed.craftedsignal.io/briefs/2026-06-oj-use-after-free/","summary":"A heap use-after-free vulnerability (CVE-2026-54897) exists in `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) in the `oj` Ruby gem, allowing an attacker to cause application crashes or unpredictable behavior when a Ruby block yielded during iteration reentrantly calls `doc.close` or `d.close`.","title":"Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close","url":"https://feed.craftedsignal.io/briefs/2026-06-oj-use-after-free/"}],"language":"en","title":"CraftedSignal Threat Feed - Oj","version":"https://jsonfeed.org/version/1.1"}