<Vulnerability name="CVE-2026-54902">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-30T23:40:32</PublicDate>
    <Bugzilla id="2495920" url="https://bugzilla.redhat.com/show_bug.cgi?id=2495920" xml:lang="en:us">
Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback
    </Bugzilla>
    <Details xml:lang="en:us" source="Mitre">
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, is vulnerable to Use-After-Free when in SAJ mode. The Oj::Parser does not protect cached object keys (≥ 35 bytes) from garbage collection, and a Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content). This issue has been fixed in version 3.17.2.
    </Details>
    <Statement xml:lang="en:us">
Red Hat's only product shipping the Oj Ruby gem (Compliance Backend) already includes version 3.17.3, which contains the fix for this vulnerability. No Red Hat products are affected.
    </Statement>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-54902
https://nvd.nist.gov/vuln/detail/CVE-2026-54902
https://github.com/ohler55/oj/security/advisories/GHSA-m578-w5vf-rfcm
    </References>
</Vulnerability>