CVE-2026-54899

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, disabling symbol_keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol_keys is toggled from true to false, opt_symbol_keys_set frees the internal key cache (cache_free) but does not clear the pointer. The next parse call reads from the freed cache via cache_intern, producing a use-after-free. This issue has been fixed in version 3.17.2.
CVSS

No CVSS.

Configurations

No configuration.

History

01 Jul 2026, 00:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-01 00:16

Updated : 2026-07-01 00:16


NVD link : CVE-2026-54899

Mitre link : CVE-2026-54899

CVE.ORG link : CVE-2026-54899


JSON object : View

Products Affected

No product.

CWE
CWE-416

Use After Free