CVE-2026-41316

EUVD-2026-25385

24.04.2026, 03:16

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Red Hat Enterprise Linux Releases

Red Hat Product

Release

ruby

RHEL 9

0:3.0.7-166.el9_7

fixed

ruby-default-gems

RHEL 9

0:3.0.7-166.el9_7

fixed

ruby-devel

RHEL 9

0:3.0.7-166.el9_7

fixed

ruby-doc

RHEL 9

0:3.0.7-166.el9_7

fixed

ruby-libs

RHEL 9

0:3.0.7-166.el9_7

fixed

rubygem-bigdecimal

RHEL 9

0:3.0.0-166.el9_7

fixed

rubygem-bundler

RHEL 9

0:2.2.33-166.el9_7

fixed

rubygem-io-console

RHEL 9

0:0.5.7-166.el9_7

fixed

rubygem-irb

RHEL 9

0:1.3.5-166.el9_7

fixed

rubygem-json

RHEL 9

0:2.5.1-166.el9_7

fixed

rubygem-minitest

RHEL 9

0:5.14.2-166.el9_7

fixed

rubygem-power

RHEL 9

0:1.2.1-166.el9_7

fixed

rubygem-psych

RHEL 9

0:3.3.2-166.el9_7

fixed

rubygem-rake

RHEL 9

0:13.0.3-166.el9_7

fixed

rubygem-rbs

RHEL 9

0:1.4.0-166.el9_7

fixed

rubygem-rdoc

RHEL 9

0:6.3.4.1-166.el9_7

fixed

rubygem-rexml

RHEL 9

0:3.2.5-166.el9_7

fixed

rubygem-rss

RHEL 9

0:0.2.9-166.el9_7

fixed

rubygem-test-unit

RHEL 9

0:3.3.7-166.el9_7

fixed

rubygem-typeprof

RHEL 9

0:0.15.2-166.el9_7

fixed

rubygems

RHEL 9

0:3.2.33-166.el9_7

fixed

rubygems-devel

RHEL 9

0:3.2.33-166.el9_7

fixed

Amazon Linux Releases

Amazon Package

Release

ruby

Amazon Linux 2

0:2.0.0.648-36.amzn2.0.18

fixed

ruby-debuginfo

Amazon Linux 2

0:2.0.0.648-36.amzn2.0.18

fixed

ruby-devel

Amazon Linux 2

0:2.0.0.648-36.amzn2.0.18

fixed

ruby-doc

Amazon Linux 2

0:2.0.0.648-36.amzn2.0.18

fixed

ruby-irb

Amazon Linux 2

0:2.0.0.648-36.amzn2.0.18

fixed

ruby-libs

Amazon Linux 2

0:2.0.0.648-36.amzn2.0.18

fixed

ruby-tcltk

Amazon Linux 2

0:2.0.0.648-36.amzn2.0.18

fixed

ruby3.4

Amazon Linux 2023

0:3.4.8-27.amzn2023.0.5

fixed

ruby3.4-bundled-gems

Amazon Linux 2023

0:3.4.8-27.amzn2023.0.5

fixed

ruby3.4-bundled-gems-debuginfo

Amazon Linux 2023

0:3.4.8-27.amzn2023.0.5

fixed

ruby3.4-debuginfo

Amazon Linux 2023

0:3.4.8-27.amzn2023.0.5

fixed

ruby3.4-debugsource

Amazon Linux 2023

0:3.4.8-27.amzn2023.0.5

fixed

ruby3.4-default-gems

Amazon Linux 2023

0:3.4.8-27.amzn2023.0.5

fixed

ruby3.4-devel

Amazon Linux 2023

0:3.4.8-27.amzn2023.0.5

fixed

ruby3.4-doc

Amazon Linux 2023

0:3.4.8-27.amzn2023.0.5

fixed

ruby3.4-libs

Amazon Linux 2023

0:3.4.8-27.amzn2023.0.5

fixed

ruby3.4-libs-debuginfo

Amazon Linux 2023

0:3.4.8-27.amzn2023.0.5

fixed

ruby3.4-rubygem-bigdecimal

Amazon Linux 2023

0:3.1.8-27.amzn2023.0.5

fixed

ruby3.4-rubygem-bigdecimal-debuginfo

Amazon Linux 2023

0:3.1.8-27.amzn2023.0.5

fixed

ruby3.4-rubygem-bundler

Amazon Linux 2023

0:2.6.9-27.amzn2023.0.5

fixed

ruby3.4-rubygem-io-console

Amazon Linux 2023

0:0.8.1-27.amzn2023.0.5

fixed

ruby3.4-rubygem-io-console-debuginfo

Amazon Linux 2023

0:0.8.1-27.amzn2023.0.5

fixed

ruby3.4-rubygem-irb

Amazon Linux 2023

0:1.14.3-27.amzn2023.0.5

fixed

ruby3.4-rubygem-json

Amazon Linux 2023

0:2.9.1-27.amzn2023.0.5

fixed

ruby3.4-rubygem-json-debuginfo

Amazon Linux 2023

0:2.9.1-27.amzn2023.0.5

fixed

ruby3.4-rubygem-minitest

Amazon Linux 2023

0:5.25.4-27.amzn2023.0.5

fixed

ruby3.4-rubygem-power_assert

Amazon Linux 2023

0:2.0.5-27.amzn2023.0.5

fixed

ruby3.4-rubygem-psych

Amazon Linux 2023

0:5.2.2-27.amzn2023.0.5

fixed

ruby3.4-rubygem-psych-debuginfo

Amazon Linux 2023

0:5.2.2-27.amzn2023.0.5

fixed

ruby3.4-rubygem-racc

Amazon Linux 2023

0:1.8.1-27.amzn2023.0.5

fixed

ruby3.4-rubygem-racc-debuginfo

Amazon Linux 2023

0:1.8.1-27.amzn2023.0.5

fixed

ruby3.4-rubygem-rake

Amazon Linux 2023

0:13.2.1-27.amzn2023.0.5

fixed

ruby3.4-rubygem-rbs

Amazon Linux 2023

0:3.8.0-27.amzn2023.0.5

fixed

ruby3.4-rubygem-rbs-debuginfo

Amazon Linux 2023

0:3.8.0-27.amzn2023.0.5

fixed

ruby3.4-rubygem-rdoc

Amazon Linux 2023

0:6.14.0-27.amzn2023.0.5

fixed

ruby3.4-rubygem-rexml

Amazon Linux 2023

0:3.4.4-27.amzn2023.0.5

fixed

ruby3.4-rubygem-rss

Amazon Linux 2023

0:0.3.1-27.amzn2023.0.5

fixed

ruby3.4-rubygem-test-unit

Amazon Linux 2023

0:3.6.7-27.amzn2023.0.5

fixed

ruby3.4-rubygem-typeprof

Amazon Linux 2023

0:0.30.1-27.amzn2023.0.5

fixed

ruby3.4-rubygems

Amazon Linux 2023

0:3.6.9-27.amzn2023.0.5

fixed

ruby3.4-rubygems-devel

Amazon Linux 2023

0:3.6.9-27.amzn2023.0.5

fixed

rubygem-bigdecimal

Amazon Linux 2

0:1.2.0-36.amzn2.0.18

fixed

rubygem-io-console

Amazon Linux 2

0:0.4.2-36.amzn2.0.18

fixed

rubygem-json

Amazon Linux 2

0:1.7.7-36.amzn2.0.18

fixed

rubygem-minitest

Amazon Linux 2

0:4.3.2-36.amzn2.0.18

fixed

rubygem-psych

Amazon Linux 2

0:2.0.0-36.amzn2.0.18

fixed

rubygem-rake

Amazon Linux 2

0:0.9.6-36.amzn2.0.18

fixed

rubygem-rdoc

Amazon Linux 2

0:4.0.0-36.amzn2.0.18

fixed

rubygems

Amazon Linux 2

0:2.0.14.1-36.amzn2.0.18

fixed

rubygems-devel

Amazon Linux 2

0:2.0.14.1-36.amzn2.0.18

fixed

Common Weakness Enumeration

CWE-693 - Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References

https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv