CVE-2026-54896 in ohler55info

Summary

by MITRE • 07/01/2026

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in object mode, Oj.dump is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory. This issue has been fixed in version 3.17.2.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/01/2026

The Oj Ruby gem represents a high-performance JSON parser and object marshaller that has been widely adopted for its efficiency in handling JSON serialization tasks within Ruby applications. The vulnerability discovered in versions prior to 3.17.2 specifically targets the object mode functionality of the Oj.dump method, creating a critical heap buffer overflow condition that can lead to memory corruption and potential arbitrary code execution. This flaw demonstrates a fundamental issue in memory management where the serializer fails to properly account for additional formatting overhead during serialization operations.

The technical root cause stems from inadequate buffer size calculations within the serialization logic when processing Exception objects in object mode. The system allocates a heap buffer based solely on the size requirements of the object's attributes without considering the cumulative effect of indentation bytes that are appended during each write operation. When an indent value of 5000 characters is specified, the serializer creates multiple 5,000-byte indent strings that progressively overflow the originally allocated 13,150-byte heap buffer. This buffer overflow occurs because the system does not implement proper bounds checking or dynamic buffer resizing to accommodate the additional indentation overhead.

The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to execute arbitrary code through controlled memory corruption techniques. The heap overflow can overwrite adjacent memory segments including function pointers, return addresses, or other critical data structures, creating opportunities for privilege escalation or denial-of-service conditions. This vulnerability particularly affects applications that serialize Exception objects with substantial indentation values, which is common in debugging scenarios where formatted output is essential for error analysis and logging purposes.

Security practitioners should note this vulnerability aligns with CWE-121 Stack-based Buffer Overflow and CWE-787 Out-of-bounds Write classifications, representing a classic memory corruption issue that has been addressed through proper buffer management techniques. The fix implemented in version 3.17.2 demonstrates the importance of comprehensive input validation and dynamic buffer allocation when dealing with variable-length formatting parameters such as indentation values. Organizations utilizing Oj gem versions prior to 3.17.2 should prioritize immediate patching and implement monitoring for any suspicious memory corruption patterns or unexpected application behavior that might indicate exploitation attempts.

From an operational security perspective, this vulnerability highlights the importance of maintaining up-to-date dependencies and conducting regular security assessments of third-party libraries. The ATT&CK framework categorizes this type of vulnerability under T1059 Command and Scripting Interpreter and T1203 Exploitation for Client Execution, as it could enable attackers to execute malicious code through controlled memory corruption. Additionally, the vulnerability demonstrates how seemingly benign formatting parameters can become attack vectors when combined with improper buffer management, emphasizing the need for comprehensive security testing of serialization libraries and careful consideration of all input parameters during security reviews.

The remediation process requires updating to Oj version 3.17.2 or later while maintaining proper dependency management practices including regular vulnerability scanning and security monitoring. Organizations should also implement automated patch management systems to ensure timely deployment of security updates across their infrastructure. The vulnerability serves as a reminder that even well-established libraries can contain critical flaws that require continuous vigilance and proactive security measures, particularly when handling user-controlled input through serialization functions that may be exposed to untrusted data sources.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!