๐Ÿ” CVE Alert

CVE-2026-54903

UNKNOWN 0.0

Oj: Integer Overflow in Oj.load 2GB String Handling

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2.

CWE CWE-190
Vendor ohler55
Product oj
Published Jun 30, 2026
Stay Ahead of the Next One

Get instant alerts for ohler55 oj

Be the first to know when new unknown vulnerabilities affecting ohler55 oj are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

ohler55 / oj
< 3.17.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp