Description
A vulnerability has been found in mruby up to 3.4.0. This vulnerability affects the function sort_cmp of the file src/array.c. Such manipulation leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is eb398971bfb43c38db3e04528b68ac9a7ce509bc. It is advisable to implement a patch to correct this issue.
References (8)
Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.332325
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.332325
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.683435
Issue Tracking, Vendor Advisory issue-tracking
https://github.com/mruby/mruby/issues/6649
Issue Tracking issue-tracking
https://github.com/makesoftwaresafe/mruby/pull/263
Issue Tracking, Vendor Advisory exploit
issue-tracking
https://github.com/mruby/mruby/issues/6649#issue-3534393003
Various Sources product
https://github.com/mruby/mruby/
Scores
CVSS v3
5.3
EPSS
0.0002
EPSS Percentile
3.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-119
CWE-416
Status
published
Products (1)
mruby/mruby
< 3.4.0
Published
Nov 13, 2025
Tracked Since
Feb 18, 2026