Back to overview

CVE-2026-54696

LOW
3.7
CVSS 3.1
Description
Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provided with an oversized streamed object. When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io) can write past the internal JSON generator buffer when a streamed object contains an attacker-controlled string near 16 KB. Exploitation would result in a reliable process crash/denial of service. This issue has been fixed in version 2.19.9.

Metadata

CVE ID
CVE-2026-54696
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 22:58 UTC
Published
2026-06-30 22:05 UTC
Last updated
2026-06-30 22:05 UTC
Primary CWE
CWE-122
CWE-122: Heap-based Buffer Overflow
Vendor / Product
ruby / json
Sources
cve.org  ·  NVD

Severity & Metrics

3.7 LOW CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected products (1)
VendorProductPlatformVersions
ruby json >= 2.9.0, < 2.19.9
Weakness (CWE)
CWESourceDescription
CWE-122 cna CWE-122: Heap-based Buffer Overflow
CWE-131 cna CWE-131: Incorrect Calculation of Buffer Size
CWE-787 cna CWE-787: Out-of-bounds Write
CVSS scores (1)
ScoreSeverityVersionSourceVector
3.7 LOW 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
References (2)
Back to overview