CVE-2026-54901 in ohler55info

Summary

by MITRE • 07/01/2026

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj::Parser in usual mode does not mark array_class and hash_class references during garbage collection, leading to Use-After-Free. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent parse call dereferences the freed object, producing a segfault. This issue has been fixed in version 3.17.2.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/01/2026

The Oj Ruby gem vulnerability represents a critical use-after-free condition that emerged in parser implementations prior to version 3.17.2. This flaw resides within the Oj::Parser component when operating in standard mode, where the parser fails to properly manage references to array_class and hash_class objects during Ruby's garbage collection process. The vulnerability stems from improper memory management practices that leave object references in an inconsistent state, creating a window of opportunity for memory corruption.

The technical implementation of this flaw involves the garbage collector's timing relative to class assignment operations within the parser's internal state management. When Oj::Parser assigns class objects for array and hash handling, it does not establish proper reference counting or marking mechanisms that would prevent these objects from being collected by Ruby's garbage collector. This creates a race condition where if garbage collection executes between the assignment of these class references and subsequent parsing operations, the referenced objects become eligible for deallocation while still being held by the parser instance.

The operational impact of this vulnerability manifests as a segmentation fault during normal parsing operations when the parser attempts to dereference a previously freed memory location. The dangling VALUE reference causes the Ruby interpreter to attempt access to deallocated memory, resulting in immediate process termination. This vulnerability affects any application utilizing Oj::Parser in standard mode with array_class or hash_class configurations, making it particularly dangerous in production environments where parsing operations are frequent and critical.

The root cause of this issue aligns with CWE-416, which addresses use-after-free vulnerabilities in memory management systems. From an ATT&CK framework perspective, this vulnerability maps to T1587.002 for defense evasion through code injection techniques, as exploitation could potentially allow attackers to manipulate parser behavior and execute arbitrary code. The vulnerability demonstrates poor resource management practices that violate fundamental security principles of memory safety and proper reference handling in interpreted languages.

Mitigation strategies include immediate upgrade to Oj version 3.17.2 or later, which implements proper reference marking for class objects during garbage collection cycles. Organizations should also consider implementing runtime monitoring for segmentation fault occurrences and establishing automated patch management processes for Ruby gem dependencies. Additionally, application developers should avoid relying on mutable class configurations during active parsing operations and implement proper error handling around parser initialization to detect potential memory corruption conditions.

The vulnerability highlights the importance of careful memory management in high-performance parsing libraries where object lifetime management becomes critical for security. This issue demonstrates how seemingly benign parser configuration options can introduce fundamental stability and security risks when not properly implemented with consideration for garbage collector behavior and reference semantics in dynamic languages like Ruby.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!