[DRE-maint] Bug#1134920: ruby3.3: CVE-2026-41316
Salvatore Bonaccorso
carnil at debian.org
Sat Apr 25 19:58:43 BST 2026
Source: ruby3.3
Version: 3.3.8-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for ruby3.3.
CVE-2026-41316[0]:
| ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0
| was published on rubygems.org) introduced an `@_init` instance
| variable guard in `ERB#result` and `ERB#run` to prevent code
| execution when an ERB object is reconstructed via `Marshal.load`
| (deserialization). However, three other public methods that also
| evaluate `@src` via `eval()` were not given the same guard:
| `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker
| who can trigger `Marshal.load` on untrusted data in a Ruby
| application that has `erb` loaded can use `ERB#def_module` (zero-
| arg, default parameters) as a code execution sink, bypassing the
| `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and
| 6.0.4 patch the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41316
https://www.cve.org/CVERecord?id=CVE-2026-41316
[1] https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list