VYPR
← All advisories
High severity8.7GHSA Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close

CVE-2026-54897

Description

Summary

Oj::Doc iterators (each_value, each_child, each_leaf) are vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby.

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/fast.c
  • Latest tested: 3.17.1 (confirmed present)

Details

The iterators in ext/oj/fast.c follow the pattern:

// fast.c:1505 (doc_each_child)
static VALUE doc_each_child(VALUE self, ...) {
    ...
    while (cur != NULL) {
        rb_yield(...);       // ← Ruby block executes here
        cur = cur->next;     // ← cur is now freed if block called close()
    }
}

rb_yield can invoke arbitrary Ruby code, including calling close() on the Doc or any child node, which calls ruby_sized_xfree on the backing buffer. On return, the C code reads cur->next from the freed region. All three iterators are affected.

ASAN report (each_child variant): `` ==253632==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000bd080 READ of size 8 at 0x5210000bd080 thread T0 #0 doc_each_child /ext/oj/fast.c:1505 0x5210000bd080 is located 896 bytes inside of 4064-byte region [0x5210000bcd00, 0x5210000bdce0) freed by thread T0 here: #0 free #1 ruby_sized_xfree (libruby-3.3.so.3.3) ``

All three iterators trigger the same freed region (fd shadow bytes): `` 0x5210000bd080:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd ``

Reproduce

require 'oj'
# each_child
Oj::Doc.open('[1,2]') { |doc| doc.each_child { |d| d.close } }
# each_value
Oj::Doc.open('[1,2]') { |doc| doc.each_value { |v| doc.close } }
# each_leaf
Oj::Doc.open('[1,[2]]') { |doc| doc.each_leaf { |d| d.close } }

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing reentrancy guard in Oj::Doc iterators allows a Ruby block to free the backing buffer via close() while the C iterator still reads from the freed memory."

Attack vector

An attacker who can supply a crafted JSON document and control the Ruby block passed to `Oj::Doc` iterators (`each_child`, `each_value`, `each_leaf`) can trigger a heap use-after-free. When the block calls `doc.close` or `d.close` during iteration, the backing buffer is freed via `ruby_sized_xfree` while the C iterator continues to read from the freed region. This is a classic reentrancy bug [CWE-416] where `rb_yield` allows arbitrary Ruby code to invalidate the iterator's state.

Affected code

The vulnerability resides in `ext/oj/fast.c` in the three iterator functions `doc_each_child`, `doc_each_value`, and `doc_each_leaf`. Each follows the pattern where `rb_yield` is called inside a `while` loop, and after the block returns, the iterator reads `cur->next` from a pointer that may have been freed if the block called `close()` on the document or a child node.

What the fix does

No patch is included in the bundle. The advisory [ref_id=1][ref_id=2] recommends that the iterators must either prevent reentrant calls to `close()` during iteration (e.g., by checking a flag before accessing `cur->next` after `rb_yield`) or pin the backing buffer so it cannot be freed while the C loop is active. Without such a fix, any Ruby block that calls `close()` on the document or a child node during iteration will trigger the use-after-free.

Preconditions

  • inputThe attacker must be able to pass a Ruby block to one of the three Oj::Doc iterators (each_child, each_value, each_leaf) that calls close() on the document or a child node during iteration.
  • inputThe attacker must supply a JSON document that is parsed by Oj::Doc.open and then iterated over.

Reproduction

```ruby require 'oj' # each_child Oj::Doc.open('[1,2]') { |doc| doc.each_child { |d| d.close } } # each_value Oj::Doc.open('[1,2]') { |doc| doc.each_value { |v| doc.close } } # each_leaf Oj::Doc.open('[1,[2]]') { |doc| doc.each_leaf { |d| d.close } } ```

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.