<Vulnerability name="CVE-2026-54898">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-30T23:24:23</PublicDate>
    <Bugzilla id="2495699" url="https://bugzilla.redhat.com/show_bug.cgi?id=2495699" xml:lang="en:us">
oj: Oj: Denial of Service via input string mutation during JSON parsing
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-825</CWE>
    <Details xml:lang="en:us" source="Mitre">
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2,Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string — for example by calling String#replace with a longer value — Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free. This issue has been fixed in version 3.17.2.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Oj, a Ruby library designed for efficient JSON (JavaScript Object Notation) parsing. This vulnerability, a heap use-after-free, occurs when a specific function, called a callback, modifies the input JSON string during the parsing process. This action can lead to the program attempting to access memory that has already been freed, potentially causing the application to crash and resulting in a denial of service.
    </Details>
    <Statement xml:lang="en:us">
Red Hat's only product shipping the Oj Ruby gem (Compliance Backend) already includes version 3.17.3, which contains the fix for this vulnerability. No Red Hat products are affected.
    </Statement>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-54898
https://nvd.nist.gov/vuln/detail/CVE-2026-54898
https://github.com/ohler55/oj/security/advisories/GHSA-q2gm-54r6-8fwm
    </References>
</Vulnerability>