CVE-2022-1071 — Use After Free in Mruby

CWE-416 — Use After Free CWE-664 — Improper Control of a Resource Through its Lifetime5 documents5 sources

Severity

8.2HIGHNVD

EPSS

0.3%

top 44.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mruby Mruby Mruby Debian Mruby +2 more

Timeline

PublishedMar 26

Latest updateOct 18

Description

User after free in mrb_vm_exec in GitHub repository mruby/mruby prior to 3.2.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 1.5 | Impact: 6.0

Affected Packages6 packages

▶debiandebian/mruby< mruby 3.1.0-1 (bookworm)

▶CVEListV5mruby/mruby_mrubyunspecified — 3.2

▶Debianmruby/mruby< 3.1.0-1+2

▶NVDmruby/mruby3.1

▶juniperjuniper/junos_os

Patches

Patch: github.com ↗Patch: huntr.dev ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-pv86-xgr9-75fj: User after free in mrb_vm_exec in GitHub repository mruby/mruby prior to 3↗2022-03-27

▶

OSV

CVE-2022-1071: User after free in mrb_vm_exec in GitHub repository mruby/mruby prior to 3↗2022-03-26

▶

📋Vendor Advisories

Juniper

CVE-2022-22249: An Improper Control of a Resource Through its Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series a↗2022-10-18

▶

Debian

CVE-2022-1071: mruby - User after free in mrb_vm_exec in GitHub repository mruby/mruby prior to 3.2.↗2022

▶