{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41316", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T14:01:46.671Z", "datePublished": "2026-04-24T02:35:41.160Z", "dateUpdated": "2026-04-25T01:45:43.173Z"}, "containers": {"cna": {"title": "ERB has an @_init deserialization guard bypass via def_module / def_method / def_class", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"}], "affected": [{"vendor": "ruby", "product": "erb", "versions": [{"version": "< 4.0.3.1", "status": "affected"}, {"version": "= 4.0.4", "status": "affected"}, {"version": ">= 5.0.0, < 6.0.1.1", "status": "affected"}, {"version": ">= 6.0.2, < 6.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:35:41.160Z"}, "descriptions": [{"lang": "en", "value": "ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue."}], "source": {"advisory": "GHSA-q339-8rmv-2mhv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-25T01:45:02.467085Z", "id": "CVE-2026-41316", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:45:43.173Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41316", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-25T01:45:02.467085Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:45:39.369Z"}}], "cna": {"title": "ERB has an @_init deserialization guard bypass via def_module / def_method / def_class", "source": {"advisory": "GHSA-q339-8rmv-2mhv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ruby", "product": "erb", "versions": [{"status": "affected", "version": "< 4.0.3.1"}, {"status": "affected", "version": "= 4.0.4"}, {"status": "affected", "version": ">= 5.0.0, < 6.0.1.1"}, {"status": "affected", "version": ">= 6.0.2, < 6.0.4"}]}], "references": [{"url": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv", "name": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:35:41.160Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41316", "state": "PUBLISHED", "dateUpdated": "2026-04-25T01:45:43.173Z", "dateReserved": "2026-04-20T14:01:46.671Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T02:35:41.160Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue."}], "id": "CVE-2026-41316", "lastModified": "2026-04-29T20:56:50.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T03:16:11.897", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "erb: ERB: Arbitrary code execution via deserialization bypass", "id": "2461369", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461369"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A flaw was found in ERB, a templating system for Ruby. An attacker who can trigger deserialization of untrusted data in a Ruby application can bypass existing protections. This vulnerability allows for arbitrary code execution by exploiting specific public methods that evaluate template source code, which were not properly guarded against deserialization attacks."], "name": "CVE-2026-41316", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "ruby4.0", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "ruby3.3", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "ruby3.4", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "ruby4.0", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-04-24T02:35:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41316\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41316\nhttps://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.0.3.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.0.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[5.0.0,6.0.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.2,6.0.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "erb", "source": "cna", "vendor": "ruby"}, "product": "erb", "vendor": "ruby"}], "analysis": {"en": {"generated_at": "2026-04-28T07:01:23.590623+00:00", "value": {"mitigation_remediation": ["Upgrade the ERB gem to at least 4.0.3.1, 4.0.4.1, 6.0.1.1, or 6.0.4 to fix the deserialization guard bypass.", "Restrict deserialization to trusted data sources to eliminate the possibility of loading malicious ERB objects.", "Remove or sanitize calls to ERB#def_module, ERB#def_method, and ERB#def_class in code paths that handle externally supplied inputs."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Systems that use Ruby 2.7.0 with ERB versions older than 4.0.3.1, 4.0.4.1, 6.0.1.1 or 6.0.4 are affected. The vulnerability is present in any environment where the erb gem is loaded and an attacker can trigger Marshal.load on untrusted input. The patch is available in ERB 4.0.3.1 and later, including 4.0.4.1, 6.0.1.1, 6.0.4, so any Ruby application that depends on an older erb gem carries this risk.", "description_and_impact": "The vulnerability arises because ERB's deserialization guard was installed separately for result and run methods but omitted from public methods that also evaluate source code such as def_method, def_module and def_class. An attacker who can supply untrusted data to Marshal.load can instantiate an ERB object and then invoke def_module (or the other two methods) to execute arbitrary Ruby code. The missing guard permits the eval of the ERB source without checking the initialization flag, leading to remote code execution.\nThis falls under CWE-502 (Deserialization of Untrusted Data) and CWE-693 (Improper Handling of Security-relevant Manipulation).", "risk_and_exploitability": "With a CVSS score of 8.1 the vulnerability poses a high severity. The EPSS score is under 1%, indicating low current exploitation probability, and the issue is not listed in CISA KEV. The attack requires the ability to deserialize arbitrary ERB objects. If an attacker can deliver untrusted Marshal data, they can immediately obtain code execution through def_module, def_method or def_class. Due to the need for deserialization access, the likelihood in production environments is limited but not negligible. Therefore, any exposed surfaces that accept serialized data must be scrutinized, and upgrading to a patched gem is the recommended mitigation."}}}}, "created": "2026-04-28T07:15:19.368099+00:00", "updated": "2026-04-28T09:25:23.818582+00:00", "vendors": ["ruby", "ruby$PRODUCT$erb"]}