CVE-2026-54903

NameCVE-2026-54903
DescriptionOj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-oj (PTS)bullseye3.11.0-1vulnerable
bookworm3.14.2-1vulnerable
trixie3.16.3-1vulnerable
forky3.17.1-1vulnerable
sid3.17.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-ojsource(unstable)3.17.3-1

Notes

https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp

Search for package or bug name: Reporting problems