CVE-2026-54897info

Summary

by MITRE • 07/01/2026

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby. This issue has been fixed in version 3.17.2.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

The Oj gem represents a high-performance JSON parser and object marshaller for Ruby applications, widely utilized in web development and API processing environments where efficient data serialization and deserialization are critical. The vulnerability resides within the document iterator functionality, specifically affecting methods such as each_value, each_child, and each_leaf that enable traversal of JSON document structures. These iterators operate at the C level within the gem's native extensions, providing optimized performance for large JSON datasets while maintaining Ruby-level accessibility for developers.

The technical flaw manifests as a heap use-after-free condition that occurs during iterator execution when Ruby blocks are yielded to during iteration processes. When a Ruby block executed within an iterator calls either doc.close or d.close methods, the underlying C code initiates memory deallocation for the document's heap region while the C-level iterator continues processing. This race condition creates a scenario where freed memory addresses remain accessible through the iterator's continuation, allowing subsequent memory reads to access deallocated regions. The vulnerability is particularly dangerous because it bridges the gap between native C memory management and Ruby's garbage collection system, creating opportunities for arbitrary code execution or system instability.

The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to execute malicious code within the context of applications using affected Oj versions. Since the heap use-after-free occurs during normal iteration operations, any application processing JSON data through these methods becomes susceptible to exploitation, particularly in web applications where user input is processed through JSON parsers. The vulnerability affects all Ruby applications utilizing the Oj gem's document iterator functionality, with no specific input validation requirements for exploitation, making it a critical concern for systems handling untrusted JSON data from external sources.

Security researchers have classified this vulnerability under CWE-416, which specifically addresses use-after-free conditions in memory management. The attack pattern aligns with ATT&CK technique T1059.007 for Ruby-based exploitation and represents a classic heap corruption vulnerability that can lead to privilege escalation or remote code execution depending on the target application's execution context. The fix implemented in version 3.17.2 addresses the core memory management issue by ensuring proper synchronization between Ruby-level close operations and C-level iterator execution, preventing premature deallocation while maintaining iteration integrity.

Organizations should immediately upgrade to Oj version 3.17.2 or later to remediate this vulnerability, particularly those processing untrusted JSON input or operating in environments where memory corruption could lead to system compromise. Application developers should review code patterns that utilize document iterators and ensure proper resource management practices are followed. The vulnerability demonstrates the importance of careful memory management when bridging native and interpreted languages, highlighting that even well-established libraries can contain critical security flaws when complex interaction patterns exist between different execution layers. Security monitoring should include detection of unusual memory access patterns or heap corruption indicators in applications utilizing affected Oj versions to identify potential exploitation attempts.

Disclosure

07/01/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!