Bug 2495790 (CVE-2026-54897) - CVE-2026-54897 oj: Oj: Use-After-Free in Oj::Doc Iterators via reentrant close
Summary: CVE-2026-54897 oj: Oj: Use-After-Free in Oj::Doc Iterators via reentrant close
Keywords:
Status: NEW
Alias: CVE-2026-54897
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-01 00:17 UTC by OSIDB Bzimport
Modified: 2026-07-07 10:25 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-01 00:17:49 UTC
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby. This issue has been fixed in version 3.17.2.


Note You need to log in before you can comment on or make changes to this bug.