CVE-2026-41316

NameCVE-2026-41316
DescriptionERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1134920

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.7 (PTS)bullseye2.7.4-1+deb11u1vulnerable
bullseye (security)2.7.4-1+deb11u5vulnerable
ruby3.1 (PTS)bookworm, bookworm (security)3.1.2-7+deb12u1vulnerable
ruby3.3 (PTS)forky, sid, trixie3.3.8-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby2.7source(unstable)(unfixed)
ruby3.1source(unstable)(unfixed)
ruby3.3source(unstable)(unfixed)1134920

Notes

https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv
Fixed by: https://github.com/ruby/erb/commit/9d017be4e375cdd058650ce528ee6adfead20cac (v6.0.4)
Fixed by: https://github.com/ruby/erb/commit/dd34ce41031327269a5fb83b0bc2c0d852895e9f (v6.0.1.1)
Fixed by: https://github.com/ruby/erb/commit/c3b721f7f7570c23e3423590af0419c1b10e1255 (v4.0.4.1)
Fixed by: https://github.com/ruby/erb/commit/ef61b591b270f8ba58d47f12472a1c53a77b4d61 (v4.0.3.1)
Search for package or bug name: Reporting problems