VYPR
← All advisories
High severity8.7GHSA Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback

CVE-2026-54902

Description

Summary

Oj::Parser in SAJ mode does not protect cached object keys (≥ 35 bytes) from garbage collection. A Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content).

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/saj2.c / ext/oj/parser.c
  • Latest tested: 3.17.1 (confirmed present)

Details

Short keys (≤ 34 bytes) are stored inline on the C stack and are safe. Long keys (≥ 35 bytes) are stored as heap-allocated Ruby String objects passed to rb_funcall as the key argument. Between the key being resolved and the callback completing, a GC triggered inside the callback (e.g. GC.start) can collect the key String, leaving a dangling VALUE.

Crash output: `` long_key_trigger [BUG] Segmentation fault at 0x0000000000004242 close_object+0x260 /ext/oj/usual.c:405 (calls rb_funcall with freed key) parse+0x11ff /ext/oj/parser.c:693 parser_parse+0x145 /ext/oj/parser.c:1408 RIP: 0x7fd1b46d68b7 RDI: 0x0000000000004242 (freed key VALUE) R12: 0x0000000000004242 ``

The freed VALUE 0x4242 shows the attacker-controlled content of the key string was loaded as a pointer — a classic use-after-free indicator.

Reproduce

require 'oj'

class H < Oj::Saj
  def add_value(value, key)
    GC.start(full_mark: true, immediate_sweep: true) if key == 'x'
  end
  def hash_start(key); end
  def hash_end(key); end
end

p = Oj::Parser.new(:saj)
p.handler = H.new
p.parse('{"' + 'A' * 35 + '":{"x":1}}')  # long outer key, GC fires on inner key

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing GC protection for heap-allocated long keys in Oj::Parser SAJ mode allows a use-after-free when a user callback triggers garbage collection."

Attack vector

An attacker supplies a crafted JSON payload containing a long object key (≥35 bytes) whose VALUE is heap-allocated rather than stack-inlined. When the SAJ parser invokes the user's `hash_end` callback, the attacker's callback triggers a garbage collection (e.g. via `GC.start`). The GC reclaims the key String object while the C parser still holds a dangling pointer to it. The subsequent `rb_funcall` dereferences the freed VALUE, causing a segmentation fault. The crash RIP points to address `0x4242`, a canary pattern indicating the attacker may control the freed memory's content. [ref_id=1] [ref_id=2]

Affected code

The bug resides in `ext/oj/saj2.c` and `ext/oj/parser.c` (files `ext/oj/usual.c` and `ext/oj/parser.c` are cited in the crash backtrace). The `close_object` function at `ext/oj/usual.c:405` calls `rb_funcall` with a key VALUE that may have been freed by a GC triggered inside the user's callback. The `parse` function at `ext/oj/parser.c:693` and `parser_parse` at `ext/oj/parser.c:1408` are the call sites that lead to the use-after-free. [ref_id=1] [ref_id=2]

What the fix does

The advisory does not include a patch diff. The recommended fix is to register the long-key VALUE with the Ruby GC (e.g. via `rb_gc_register_address` or `RB_GC_GUARD`) so that it is not collected while the C parser still holds a reference. Alternatively, the parser could copy the key string into a stack buffer or mark it as an GC root before invoking the callback. Without such protection, any user callback that triggers GC can free the key string, leading to a use-after-free. [ref_id=1] [ref_id=2]

Preconditions

  • configThe application must use Oj::Parser in SAJ mode with a user-defined handler that triggers garbage collection inside a callback (e.g. hash_end).
  • inputThe attacker must be able to supply a JSON payload containing at least one object key of 35 bytes or longer.

Reproduction

```ruby require 'oj'

class H < Oj::Saj def add_value(value, key) GC.start(full_mark: true, immediate_sweep: true) if key == 'x' end def hash_start(key); end def hash_end(key); end end

p = Oj::Parser.new(:saj) p.handler = H.new p.parse('{"' + 'A' * 35 + '":{"x":1}}') # long outer key, GC fires on inner key ```

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.