GHSA-vwm4-62gf-x745

Source

https://github.com/advisories/GHSA-vwm4-62gf-x745

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-vwm4-62gf-x745/GHSA-vwm4-62gf-x745.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vwm4-62gf-x745

Aliases

CVE-2026-54901

Published

2026-06-19T20:47:25Z

Modified

2026-06-19T21:00:17.017075523Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking

Details

Summary

Oj::Parser in usual mode does not mark array_class and hash_class references during garbage collection. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent parse call dereferences the freed object, producing a segfault.

Version

Software: oj gem
Affected: all versions with ext/oj/usual.c / ext/oj/parser.c
Latest tested: 3.17.1 (confirmed present)

Details

The parser_mark function in ext/oj/parser.c is registered as the GC mark callback for the parser's TypedData. If array_class (stored as d->array_class in the Usual struct) is not passed to rb_gc_mark, the GC does not know it is referenced and may collect it.

When close_array_class (usual.c:405) later calls rb_funcallv on the collected class VALUE, it accesses freed memory, crashing at RIP: 0x7f... / 0x0000000000000000.

Crash output:

array_class finalized
about to parse
[BUG] Segmentation fault at 0x0000000000000000
    close_array_class+0x194  /ext/oj/usual.c:405
    parse+0x17b3             /ext/oj/parser.c:715
    parser_parse+0x10b       /ext/oj/parser.c:1408
RIP: 0x7fd1b46d68b7  RBP: 0x0000000000000000

Reproduce

require 'oj'
p = Oj::Parser.new(:usual,
  array_class: (ac = Class.new { def <<(_x); end }))
ObjectSpace.define_finalizer(ac, proc { warn 'array_class finalized' })
ac = nil
GC.start(full_mark: true, immediate_sweep: true)  # collect the class
p.parse('[1]')  # segfault

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-19T20:47:25Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-416"
    ]
}

References

Affected packages

RubyGems / oj

Package

Name: oj
Purl: pkg:gem/oj

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.17.3

Affected versions

0.*

0.5

0.5.1

0.5.2

0.6.0

0.7.0

0.8.0

0.9.0

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.1.0

1.1.1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.3.0

1.3.2

1.3.4

1.3.5

1.3.6

1.3.7

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6a2

1.4.6

1.4.7

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.6

2.1.7

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6.0

2.6.1

2.7.0

2.7.1

2.7.2

2.7.3

2.8.0

2.8.1

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.11.5

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.12.6

2.12.7

2.12.8

2.12.9

2.12.10

2.12.11

2.12.12

2.12.13

2.12.14

2.13.0

2.13.1

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.14.5

2.14.6

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.17.3

2.17.4

2.17.5

2.18.0

2.18.1

2.18.2

2.18.3

2.18.4

2.18.5

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.1.0

3.1.2

3.1.3

3.1.4

3.2.0

3.2.1

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.3.10

3.4.0

3.5.0

3.5.1

3.6.0

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.6.8

3.6.9

3.6.10

3.6.11

3.6.12

3.6.13

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.7.7

3.7.8

3.7.9

3.7.10

3.7.11

3.7.12

3.8.0

3.8.1

3.9.0

3.9.1

3.9.2

3.10.0

3.10.1

3.10.2

3.10.3

3.10.5

3.10.6

3.10.7

3.10.8

3.10.9

3.10.10

3.10.11

3.10.12

3.10.13

3.10.14

3.10.15

3.10.16

3.10.17

3.10.18

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.11.8

3.12.0

3.12.1

3.12.2

3.12.3

3.13.0

3.13.1

3.13.2

3.13.3

3.13.4

3.13.5

3.13.6

3.13.7

3.13.8

3.13.9

3.13.10

3.13.11

3.13.12

3.13.13

3.13.14

3.13.15

3.13.16

3.13.17

3.13.18

3.13.19

3.13.20

3.13.21

3.13.22

3.13.23

3.14.0

3.14.1

3.14.2

3.14.3

3.15.0

3.15.1

3.16.0

3.16.1

3.16.2

3.16.3

3.16.4

3.16.5

3.16.6

3.16.7

3.16.8

3.16.9

3.16.10

3.16.11

3.16.12

3.16.13

3.16.14

3.16.15

3.16.16

3.16.17

3.17.0

3.17.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-vwm4-62gf-x745/GHSA-vwm4-62gf-x745.json"

last_known_affected_version_range

"< 3.17.2"