{
  "variant_id": "CVE-2026-54500-vulnvariant-001",
  "created_at": "2026-07-02T17:37:00Z",
  "variant_summary": "No bypass or distinct alternate trigger found. The fix (intern.c buf->b, commit bbde91a, v3.17.3) fully closes the only reachable copy of the form_attr uninitialized-stack-memory-read sink (Oj.load :object mode -> object.c -> oj_attr_intern -> intern.c form_attr). The duplicate copy in usual.c was already fixed earlier (ec368db, ancestor of v3.17.2). An 11-mode empirical sweep on both vulnerable (495cc38) and fixed (bbde91a) versions confirms only :object mode leaks, and only on the vulnerable version.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "ohler55/oj",
  "submitted_target": {
    "target_kind": "git_commit",
    "commit_sha": "495cc38fc5a02681da2175960d4a667fae48f3c9",
    "version": "3.17.2",
    "ref": "v3.17.2",
    "display": "ohler55/oj @ 495cc38 (v3.17.2, vulnerable)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "bbde91a679728f94c4492ebc3683f4fa3309049f",
    "version": "3.17.3",
    "ref": "v3.17.3",
    "display": "ohler55/oj @ bbde91a (v3.17.3, fixed) — tested for bypass"
  },
  "same_root_cause_confidence": 1.0,
  "same_surface_confidence": 1.0,
  "claimed_surface": "Uninitialized stack memory read in ext/oj/intern.c form_attr() long-key path via Oj.load :object mode with a key >= 254 bytes",
  "validated_surface": "Confirmed the ONLY leaking entry point is Oj.load :object mode (object.c -> oj_attr_intern -> intern.c form_attr). No alternate entry point reproduces the leak on either version. The fixed version (bbde91a) is clean on all 11 tested modes.",
  "required_entrypoint_kind": "library_api",
  "required_entrypoint_detail": "Oj.load(json, mode: :object) with ^o:Oj::Bag and a >=254-byte key; also swept :compat, :rails, :strict, :null, :wab, :custom and Oj::Parser.new(:usual) with/without create_id",
  "attacker_controlled_input": "JSON object key of length >= 254 bytes (tested with 300 bytes of 'A')",
  "trigger_path": "Oj.load(:object) -> object.c:oj_set_obj_ivar -> intern.c:oj_attr_intern -> cache.c:cache_intern (CACHE_MAX_KEY=35) -> intern.c:form_attr long-key branch (len>=254) -> rb_intern3(uninitialized buf)",
  "observed_impact_class": "information_disclosure",
  "exploitability_confidence": 0.95,
  "evidence_scope": "empirical_multi_mode_sweep_both_versions",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "No distinct variant/bypass confirmed. The fix completely covers the only reachable sink; all alternate entry points either do not reach form_attr or use usual.c's already-fixed copy. Negative result is well-supported by static + empirical analysis.",
  "blocking_mitigation": "intern.c:form_attr long-key path fixed (buf->b) in bbde91a; usual.c:form_attr fixed earlier in ec368db (ancestor of v3.17.2). No remaining unfixed copy of the pattern exists.",
  "file_path": "ext/oj/intern.c",
  "line_start": 56,
  "line_end": 86,
  "secondary_anchors": [
    {
      "file_path": "ext/oj/usual.c",
      "line_start": 55,
      "line_end": 75
    },
    {
      "file_path": "ext/oj/object.c",
      "line_start": 380,
      "line_end": 387
    },
    {
      "file_path": "ext/oj/cache.c",
      "line_start": 324,
      "line_end": 325
    }
  ],
  "review_scope_paths": [
    "ext/oj/intern.c",
    "ext/oj/usual.c",
    "ext/oj/object.c",
    "ext/oj/cache.c",
    "ext/oj/strict.c",
    "ext/oj/compat.c",
    "ext/oj/wab.c",
    "ext/oj/custom.c",
    "ext/oj/parser.c",
    "ext/oj/fast.c"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant_repro.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/probe_variant.rb"
    ]
  }
}
