CVE-2026-54899: Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle

June 19, 2026

Disabling symbol_keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol_keys is toggled from true to false, opt_symbol_keys_set frees the internal key cache (cache_free) but does not clear the pointer. The next parse call reads from the freed cache via cache_intern, producing a use-after-free.

References

github.com/advisories/GHSA-2cw7-v8ff-p88r
github.com/ohler55/oj/security/advisories/GHSA-2cw7-v8ff-p88r
nvd.nist.gov/vuln/detail/CVE-2026-54899

Code Behaviors & Features

Detect and mitigate CVE-2026-54899 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →