CVE-2026-54903 PUBLISHED

Oj: Integer Overflow in Oj.load 2GB String Handling

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 30.06.2026 Updated: 01.07.2026

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.3

Product Status

Vendor ohler55
Product oj
Versions
  • Version < 3.17.2 is affected

References

Problem Types

  • CWE-190: Integer Overflow or Wraparound CWE