CVE-2016-2339
CRITICALRuby - Heap Overflow in Fiddle::Function.new Initialize
Title source: llmDescription
An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.
References (3)
Core 3
Core References
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/91234
Exploit, Technical Description, Third Party Advisory, VDB Entry x_refsource_misc
http://www.talosintelligence.com/reports/TALOS-2016-0034/
Scores
CVSS v3
9.8
EPSS
0.0519
EPSS Percentile
91.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-119
Status
published
Products (4)
Ruby/Ruby
2.2.2
Ruby/Ruby
2.3.0 dev
ruby-lang/ruby
2.2.2
ruby-lang/ruby
2.3.0
Published
Jan 06, 2017
Tracked Since
Feb 18, 2026