PT-2026-51085 · Rubygems · Oj
Publicado
2026-06-19
·
Atualizado
2026-06-19
·
CVE-2026-54899
CVSS v4.0
8.7
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Summary
Disabling
symbol keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol keys is toggled from true to false, opt symbol keys set frees the internal key cache (cache free) but does not clear the pointer. The next parse call reads from the freed cache via cache intern, producing a use-after-free.Version
- Software: oj gem
- Affected: all versions with
ext/oj/usual.c - Latest tested: 3.17.1 (confirmed present)
Details
ext/oj/usual.c, opt symbol keys set:c
// usual.c:1043–1051
if (symbol keys) {
d->key cache = cache create(...); // allocate
} else {
cache free(d->key cache); // free — but d->key cache pointer not NULLed
}On the next parse call,
cache key → cache intern reads from d->key cache which now points to freed memory.ASAN report:
==145265==ERROR: AddressSanitizer: heap-use-after-free on address 0x50b00001a318
READ of size 8 at 0x50b00001a318 thread T0
#0 cache intern /ext/oj/cache.c:328
#1 cache key /ext/oj/usual.c:161
#2 close object /ext/oj/usual.c:285
#3 parse /ext/oj/parser.c:693
#4 parser parse /ext/oj/parser.c:1408
freed by thread T0 here:
#0 free
#1 cache free /ext/oj/cache.c:277
#2 opt symbol keys set /ext/oj/usual.c:1051
#3 option /ext/oj/usual.c:1111
#4 parser missing /ext/oj/parser.c:1362
0x50b00001a318 is 40 bytes inside freed 112-byte region [fd]fd fd fd fd fd fd fdReproduce
ruby
require 'oj'
p = Oj::Parser.new(:usual, symbol keys: true)
p.symbol keys = false # frees cache without nulling pointer
p.parse('{"attacker":1}') # UAF: reads freed cacheCorreção
Use After Free
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Oj