CVE-2026-54900: Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling

June 19, 2026

Oj::Parser#parse in usual mode with create_id enabled is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in form_attr (usual.c:63) converts the length to -1 before passing it to memcpy. This causes memcpy to copy SIZE_MAX bytes (interpreted as a huge size_t), corrupting heap memory and crashing the process.

References

github.com/advisories/GHSA-9cv6-qcjw-4grx
github.com/ohler55/oj/security/advisories/GHSA-9cv6-qcjw-4grx
nvd.nist.gov/vuln/detail/CVE-2026-54900

Code Behaviors & Features

Detect and mitigate CVE-2026-54900 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →