VYPR
← All advisories
Medium severity5.3GHSA Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

Oj: intern.c form_attr (uninitialized stack read)

CVE-2026-54500

Description

Summary

Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory.

Details

In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer b, populating it with the attribute name, and then freeing it — but it passed the **uninitialized stack buffer buf** (not b) to rb_intern3():

static VALUE form_attr(const char *str, size_t len) {
    char buf[256];
    if (sizeof(buf) - 2 <= len) {        // long-key path (len >= 254)
        char *b = OJ_R_ALLOC_N(char, len + 2);
        // ... b is filled correctly ...
        id = rb_intern3(buf, len + 1, oj_utf8_encoding);   // BUG: reads `buf`
        OJ_R_FREE(b);
        return id;
    }
    // ...
}

rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf (CWE-125). The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents.

This is the same defect previously fixed in ext/oj/usual.c; intern.c held a duplicated copy of form_attr that was missed.

Proof of

Concept

require 'oj'
key  = "A" * 300
json = %Q[{"^o":"Object","#{key}":1}]
Oj.load(json, mode: :object)

On affected versions this raises an EncodingError whose message contains ~1500 bytes of uninitialized stack memory (not the supplied "A"s). The leaked byte count varies between runs with the identical payload (e.g. 1491 vs 1516 bytes), confirming the content is uninitialized memory rather than fixed data.

Impact

Information disclosure of process stack memory to a caller that parses untrusted JSON with Oj.load(..., mode: :object). For keys >= 256 bytes it is also an out-of-bounds read (CWE-125).

Severity is bounded by several preconditions: it requires :object mode (which is already discouraged for untrusted input), the leaked bytes are uncontrolled (the attacker cannot choose what is disclosed), and the data only reaches an attacker if the application surfaces the resulting Symbol or EncodingError back to them. Scored CVSS 5.3 (Medium) on that basis.

Patches

Fixed in 3.17.3: form_attr() now passes b to rb_intern3 (a one-character change mirroring the earlier usual.c fix). Verified on the fixed build: the same payload returns cleanly with no leak across repeated runs.

Credit

Reported by Zac Wang (@7a6163).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"In `form_attr()` in `ext/oj/intern.c`, the heap-allocated buffer `b` is correctly filled but the uninitialized stack buffer `buf` is passed to `rb_intern3()`, causing a read of uninitialized stack memory (and an out-of-bounds read for keys >= 256 bytes)."

Attack vector

An attacker supplies a crafted JSON payload with a key of 254 bytes or longer to `Oj.load(..., mode: :object)`. The `form_attr()` function in `intern.c` passes the uninitialized stack buffer `buf` to `rb_intern3()`, which reads `len + 1` bytes of uninitialized stack memory (and out-of-bounds past the 256-byte `buf` when the key is >= 256 bytes). The interned bytes can surface to the caller via the produced Symbol or via the `EncodingError` message raised on invalid UTF-8, leaking process stack contents [ref_id=1][ref_id=2].

Affected code

The bug is in `form_attr()` inside `ext/oj/intern.c`. When the key length is 254 bytes or longer, the function allocates a heap buffer `b`, fills it correctly, but then passes the **uninitialized stack buffer `buf`** (not `b`) to `rb_intern3()`. This is a duplicated copy of the same defect that was previously fixed in `ext/oj/usual.c` but was missed in `intern.c` [ref_id=1][ref_id=2].

What the fix does

The fix in version 3.17.3 is a one-character change: `form_attr()` now passes the heap-allocated buffer `b` (which is correctly populated with the attribute name) to `rb_intern3()` instead of the uninitialized stack buffer `buf`. This mirrors the earlier fix applied to the duplicated copy of `form_attr` in `ext/oj/usual.c`. After the fix, the same PoC payload returns cleanly with no memory leak across repeated runs [ref_id=1][ref_id=2].

Preconditions

  • configThe application must call Oj.load with mode: :object
  • inputThe attacker must be able to supply a JSON payload with a key of 254 bytes or longer
  • authThe leaked data only reaches an attacker if the application surfaces the resulting Symbol or EncodingError back to them

Reproduction

```ruby require 'oj' key = "A" * 300 json = %Q[{"^o":"Object","#{key}":1}] Oj.load(json, mode: :object) ``` On affected versions this raises an `EncodingError` whose message contains ~1500 bytes of uninitialized stack memory (not the supplied "A"s). The leaked byte count varies between runs with the identical payload (e.g. 1491 vs 1516 bytes), confirming the content is uninitialized memory rather than fixed data [ref_id=1][ref_id=2].

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.