CVE-2016-2339 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Ruby

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122 — Heap-based Buffer Overflow7 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.7%

top 28.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby Ruby-lang Ruby

Timeline

PublishedJan 6

Latest updateMay 14

Description

An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5ruby/ruby2.2.2, 2.3.0 dev+1

▶NVDruby-lang/ruby2.2.2, 2.3.0+1

🔴Vulnerability Details

GHSA

GHSA-c4w7-m676-pcvp: An exploitable heap overflow vulnerability exists in the Fiddle::Function↗2022-05-14

▶

CVEList

CVE-2016-2339: An exploitable heap overflow vulnerability exists in the Fiddle::Function↗2017-01-06

▶

OSV

CVE-2016-2339: An exploitable heap overflow vulnerability exists in the Fiddle::Function↗2017-01-06

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2017-07-25

▶

Red Hat

ruby: Fiddle:: Function.new heap buffer overflow↗2016-06-14

▶

💬Community

Bugzilla

CVE-2016-2339 ruby: Fiddle::Function.new heap buffer overflow↗2017-01-12

▶