๐Ÿ” CVE Alert

CVE-2026-54896

UNKNOWN 0.0

Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in object mode, Oj.dump is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory. This issue has been fixed in version 3.17.2.

CWE CWE-122
Vendor ohler55
Product oj
Published Jun 30, 2026
Stay Ahead of the Next One

Get instant alerts for ohler55 oj

Be the first to know when new unknown vulnerabilities affecting ohler55 oj are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

ohler55 / oj
< 3.17.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/ohler55/oj/security/advisories/GHSA-35w3-pjm6-wj95