CVE-2026-54592 is a high-severity out-of-bounds read vulnerability in oj (rubygems), affecting versions < 3.17.3. It is fixed in 3.17.3.
Summary Oj::Doc#eachchild, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process. This is a denial of service reachable from untrusted JSON. Details Two-step chain in ext/oj/fast.c: doceachchild (~line 1501) increments doc->where past the wherepath[MAXSTACK = 100] array with no bounds check, and never restores it (doc->where-- is missing). Calling eachchild recursively from inside the yield block therefore drives doc->where beyond the array. On the next entry (~line 1478) the function copies the path into a stack-local buffer: c Leaf savepath[MAXSTACK]; // 800-byte stack buffer sizet wlen = doc->where - doc->wherepath; if (0 < wlen) { memcpy(savepath, doc->wherepath, sizeof(Leaf) * (wlen + 1)); } When the previous recursive call left doc->where past wherepath[100], wlen exceeds MAXSTACK and the memcpy overflows savepath on the C stack. The Oj::Doc parser imposes no JSON nesting-depth limit (it relies on a C-stack pressure check), so deeply nested attacker input reaches this path. Proof of Concept Recursion depth <= 99 iterates normally; depth >= 101 aborts. lldb backtrace on the affected build (ruby 3.3.8 / arm64-darwin24): Impact Reliable denial of service: any endpoint that calls Oj::Doc.open(untrusted) { |d| d.eachchild ... } recursively can be crashed with a small deeply-nested payload. On builds with a stack protector (the default, -fstack-protector-strong) the canary aborts the process before the saved return address is used. The Step-1 heap OOB writes into struct doc fields do occur, but are masked in practice because the Step-2 stack overflow crashes first; turning them into anything beyond a crash has not been demonstrated. Patches Fixed in 3.17.3: doceachchild now bounds-checks before incrementing doc->where (raising Oj::DepthError) and restores doc->where after the loop, matching the existing eachleaf pattern. Verified on the fixed build: depth >= 101 raises a clean Oj::DepthError instead of aborting. Credit Reported by Zac Wang (@7a6163).
A read operation accesses a memory location beyond the intended buffer boundary. Typical impact: sensitive data disclosure or crash.
CVE-2026-54592 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (3.17.3). Upgrading removes the vulnerable code path.
rubygems
oj (< 3.17.3)oj → 3.17.3 (rubygems)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-54592 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-54592 is reachable in your applications. Get a demo
Upgrade oj to 3.17.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-54592 is a high-severity out-of-bounds read vulnerability in oj (rubygems), affecting versions < 3.17.3. It is fixed in 3.17.3. A read operation accesses a memory location beyond the intended buffer boundary.
CVE-2026-54592 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
oj (rubygems) versions < 3.17.3 is affected.
Yes. CVE-2026-54592 is fixed in 3.17.3. Upgrade to this version or later.
Whether CVE-2026-54592 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade oj to 3.17.3 or later.