Vulnerability DatabaseCVE-2026-54899
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-54899
Published:June 19, 2026
Updated:June 21, 2026
Summary Disabling "symbol_keys" on a reused "Oj::Parser" instance triggers a heap use-after-free. When "symbol_keys" is toggled from "true" to "false", "opt_symbol_keys_set" frees the internal key cache ("cache_free") but does not clear the pointer. The next "parse" call reads from the freed cache via "cache_intern", producing a use-after-free. Version - Software: oj gem - Affected: all versions with "ext/oj/usual.c" - Latest tested: 3.17.1 (confirmed present) Details "ext/oj/usual.c", "opt_symbol_keys_set": // usual.c:1043–1051 if (symbol_keys) { d->key_cache = cache_create(...); // allocate } else { cache_free(d->key_cache); // free — but d->key_cache pointer not NULLed } On the next parse call, "cache_key" → "cache_intern" reads from "d->key_cache" which now points to freed memory. ASAN report: ==145265==ERROR: AddressSanitizer: heap-use-after-free on address 0x50b00001a318 READ of size 8 at 0x50b00001a318 thread T0 #0 cache_intern /ext/oj/cache.c:328 #1 cache_key /ext/oj/usual.c:161 #2 close_object /ext/oj/usual.c:285 #3 parse /ext/oj/parser.c:693 #4 parser_parse /ext/oj/parser.c:1408 freed by thread T0 here: #0 free #1 cache_free /ext/oj/cache.c:277 #2 opt_symbol_keys_set /ext/oj/usual.c:1051 #3 option /ext/oj/usual.c:1111 #4 parser_missing /ext/oj/parser.c:1362 0x50b00001a318 is 40 bytes inside freed 112-byte region [fd]fd fd fd fd fd fd fd Reproduce require 'oj' p = Oj::Parser.new(:usual, symbol_keys: true) p.symbol_keys = false # frees cache without nulling pointer p.parse('{"attacker":1}') # UAF: reads freed cache
Affected Packages
oj (RUBY):
Affected version(s) >=0.5 <3.17.3
Fix Suggestion:
Update to version 3.17.3
Related Resources (2)
https://github.com/ohler55/oj/security/advisories/GHSA-2cw7-v8ff-p88r
https://github.com/ohler55/oj
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Use After Free
CWE-416