CVE-2016-2338

CRITICAL

Ruby - Heap Overflow in Psych::Emitter start_document Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-2338. PoCs published by SpiralBL0CK.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2016-2338, leveraging heap spraying and memory corruption techniques to achieve arbitrary code execution. The exploit uses a combination of ROP chains and shellcode to exploit a vulnerability in the target software.

Description

An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.

Exploits (1)

nomisec WORKING POC
by SpiralBL0CK · poc
https://github.com/SpiralBL0CK/CVE-2016-2338-nday

The repository contains a functional exploit for CVE-2016-2338, leveraging heap spraying and memory corruption techniques to achieve arbitrary code execution. The exploit uses a combination of ROP chains and shellcode to exploit a vulnerability in the target software.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Unknown (CVE-2016-2338)
No auth needed
Prerequisites: Target system running vulnerable software · Ability to deliver and execute the exploit code
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.1346
EPSS Percentile 94.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (3)
debian/debian_linux 8.0
ruby-lang/ruby 2.2.2
ruby-lang/ruby 2.3.0
Published Sep 29, 2022
Tracked Since Feb 18, 2026