CVE-2025-7207

NameCVE-2025-7207
DescriptionA vulnerability, which was classified as problematic, was found in mruby up to 3.4.0-rc2. Affected is the function scope_new of the file mrbgems/mruby-compiler/core/codegen.c of the component nregs Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is 1fdd96104180cc0fb5d3cb086b05ab6458911bb9. It is recommended to apply a patch to fix this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1109338

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mruby (PTS)bullseye2.1.2-3vulnerable
bookworm3.1.0-3vulnerable
trixie, sid3.3.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mrubysource(unstable)(unfixed)1109338

Notes

[bookworm] - mruby <no-dsa> (Minor issue)
[bullseye] - mruby <postponed> (Minor issue)
https://github.com/mruby/mruby/issues/6509
https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9
Search for package or bug name: Reporting problems