CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54902

unknowncovered by 1 sourcefirst seen 2026-07-01
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, is vulnerable to Use-After-Free when in SAJ mode. The Oj::Parser does not protect cached object keys (≥ 35 bytes) from garbage collection, and a Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content). This issue has been fixed in version 3.17.2.

⚡ Watch CVE-2026-54902

Get an email if CVE-2026-54902 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-54902

CVE.org record

Embed the live status

CVE-2026-54902 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54902 status](https://www.csirts.com/badge/CVE-2026-54902)](https://www.csirts.com/cve/CVE-2026-54902)