Skip to content

Oj: intern.c form_attr (uninitialized stack read)

Moderate severity GitHub Reviewed Published Jun 16, 2026 in ohler55/oj • Updated Jun 19, 2026

Package

bundler oj (RubyGems)

Affected versions

< 3.17.3

Patched versions

3.17.3

Description

Summary

Oj.load in :object mode reads uninitialized stack memory (and, for long
keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes
or longer. The interned bytes can surface to the caller, disclosing process
stack memory.

Details

In ext/oj/intern.c, form_attr() handles the long-key path by allocating a
heap buffer b, populating it with the attribute name, and then freeing it —
but it passed the uninitialized stack buffer buf (not b) to
rb_intern3():

static VALUE form_attr(const char *str, size_t len) {
    char buf[256];
    if (sizeof(buf) - 2 <= len) {        // long-key path (len >= 254)
        char *b = OJ_R_ALLOC_N(char, len + 2);
        // ... b is filled correctly ...
        id = rb_intern3(buf, len + 1, oj_utf8_encoding);   // BUG: reads `buf`
        OJ_R_FREE(b);
        return id;
    }
    // ...
}

rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory.
When the key length is >= 256, it also reads out of bounds past the 256-byte
buf (CWE-125). The resulting bytes are interned and can reach the caller via
the produced Symbol or via the EncodingError message raised on invalid
UTF-8, leaking process stack contents.

This is the same defect previously fixed in ext/oj/usual.c; intern.c held
a duplicated copy of form_attr that was missed.

Proof of Concept

require 'oj'
key  = "A" * 300
json = %Q[{"^o":"Object","#{key}":1}]
Oj.load(json, mode: :object)

On affected versions this raises an EncodingError whose message contains
~1500 bytes of uninitialized stack memory (not the supplied "A"s). The leaked
byte count varies between runs with the identical payload (e.g. 1491 vs 1516
bytes), confirming the content is uninitialized memory rather than fixed data.

Impact

Information disclosure of process stack memory to a caller that parses
untrusted JSON with Oj.load(..., mode: :object). For keys >= 256 bytes it is
also an out-of-bounds read (CWE-125).

Severity is bounded by several preconditions: it requires :object mode
(which is already discouraged for untrusted input), the leaked bytes are
uncontrolled (the attacker cannot choose what is disclosed), and the data only
reaches an attacker if the application surfaces the resulting Symbol or
EncodingError back to them. Scored CVSS 5.3 (Medium) on that basis.

Patches

Fixed in 3.17.3: form_attr() now passes b to rb_intern3 (a
one-character change mirroring the earlier usual.c fix). Verified on the
fixed build: the same payload returns cleanly with no leak across repeated
runs.

Credit

Reported by Zac Wang (@7a6163).

References

@ohler55 ohler55 published to ohler55/oj Jun 16, 2026
Published to the GitHub Advisory Database Jun 19, 2026
Reviewed Jun 19, 2026
Last updated Jun 19, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS score

Weaknesses

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer. Learn more on MITRE.

Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized. Learn more on MITRE.

CVE ID

CVE-2026-54500

GHSA ID

GHSA-fm7p-mprw-wjm9

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.