Skip to main content

Ruby JSON CVE-2026-54696

LOW
Heap-based Buffer Overflow (CWE-122)
2026-06-30 GitHub_M
3.7
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
5.9 MEDIUM

AC:H retained for the ~16 KB string-size precision requirement; A:H assigned because the heap overflow reliably crashes the process, not merely degrades it.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 23:40 vuln.today

DescriptionCVE.org

Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provided with an oversized streamed object. When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io) can write past the internal JSON generator buffer when a streamed object contains an attacker-controlled string near 16 KB. Exploitation would result in a reliable process crash/denial of service. This issue has been fixed in version 2.19.9.

AnalysisAI

Heap buffer overflow in the Ruby JSON gem's streaming generator (versions 2.9.0-2.19.8) enables reliable process crash via attacker-controlled serialized data. When applications invoke JSON.dump(obj, io) or JSON::State#generate(obj, io) to stream JSON to an IO object, the C-level generator can write past its internal buffer if the serialized object contains a string near 16 KB in size. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply ~16 KB string in request payload
Delivery
Application streams object to IO via JSON.dump
Exploit
C generator advances write pointer past heap buffer end
Execution
Heap corruption triggers process crash
Impact
Denial of service achieved

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions: (1) the application must invoke the streaming form of the JSON generator - specifically `JSON.dump(obj, io)` or `JSON::State#generate(obj, io)` where `io` is an IO object, not a String; and (2) the object being serialized must contain an attacker-controlled string value approaching 16 KB in length. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) scores 3.7 (Low), which is broadly consistent with the observed threat profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a JSON serialization request to a Ruby web application - for example, an API endpoint that reflects user-supplied data - where the handler calls `JSON.dump(payload, response_io)` to stream the response. By crafting a string value in the payload that is just under 16 KB, the attacker causes the C-level generator to write past its internal buffer on the heap, crashing the Ruby worker process and returning a 500 error or connection reset to the client. …
Remediation Upgrade the Ruby JSON gem to version 2.19.9, which contains the vendor-confirmed fix per the GitHub release at https://github.com/ruby/json/releases/tag/v2.19.9 and the security advisory at https://github.com/ruby/json/security/advisories/GHSA-x2f5-4prf-w687. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54696 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy