CVE-2026-41316
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an @_init instance variable guard in ERB#result and ERB#run to prevent code execution when an ERB object is reconstructed via Marshal.load (deserialization). However, three other public methods that also evaluate @src via eval() were not given the same guard: ERB#def_method, ERB#def_module, and ERB#def_class. An attacker who can trigger Marshal.load on untrusted data in a Ruby application that has erb loaded can use ERB#def_module (zero-arg, default parameters) as a code execution sink, bypassing the @_init protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ruby | erb | < 4.0.3.1 | affected |
| ruby | erb | = 4.0.4 | affected |
| ruby | erb | >= 5.0.0, < 6.0.1.1 | affected |
| ruby | erb | >= 6.0.2, < 6.0.4 | affected |
Weaknesses
- CWE-693: CWE-693: Protection Mechanism Failure
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
erb: ERB: Arbitrary code execution via deserialization bypass
Additional References
- https://access.redhat.com/security/cve/CVE-2026-41316
- https://bugzilla.redhat.com/show_bug.cgi?id=2461369
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41316.json
- https://access.redhat.com/errata/RHSA-2026:33478
- https://access.redhat.com/errata/RHSA-2026:18065
- https://access.redhat.com/errata/RHSA-2026:20606
- https://access.redhat.com/errata/RHSA-2026:20614
- https://access.redhat.com/errata/RHSA-2026:20670
- https://access.redhat.com/errata/RHSA-2026:26312
- https://access.redhat.com/errata/RHSA-2026:26655
- https://access.redhat.com/errata/RHSA-2026:33462
- https://access.redhat.com/errata/RHSA-2026:18039
- https://access.redhat.com/errata/RHSA-2026:18030
- https://access.redhat.com/errata/RHSA-2026:20596
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.