CVE-2026-54902: Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback

June 19, 2026

Oj::Parser in SAJ mode does not protect cached object keys (≥ 35 bytes) from garbage collection. A Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory’s content).

References

github.com/advisories/GHSA-m578-w5vf-rfcm
github.com/ohler55/oj/security/advisories/GHSA-m578-w5vf-rfcm
nvd.nist.gov/vuln/detail/CVE-2026-54902

Code Behaviors & Features

Detect and mitigate CVE-2026-54902 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →