CVE-2024-27282 — Out-of-bounds Read in Azl3 Ruby 3.3.0-4 ON Azure Linux 3.0

CWE-125 — Out-of-bounds Read10 documents7 sources

Severity

6.6MEDIUMNVD

OSV9.8OSV4.5

EPSS

0.6%

top 31.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Ruby2.7 Debian Ruby3.1 Msrc Azl3 Ruby 3.3.0-4 ON Azure Linux 3.0 +7 more

Timeline

PublishedMay 14

Latest updateSep 3

Description

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:LExploitability: 1.8 | Impact: 4.7

Affected Packages10 packages

▶debiandebian/ruby2.7< ruby2.7 2.7.4-1+deb11u2 (bullseye)

▶debiandebian/ruby3.1< ruby2.7 2.7.4-1+deb11u2 (bullseye)

▶msrcmsrc/azl3_ruby_3.3.0-4_on_azure_linux_3.0

▶msrcmsrc/azl3_ruby_3.3.3-1_on_azure_linux_3.0

▶msrcmsrc/cbl2_ruby_3.1.4-5_on_cbl_mariner_2.0

🔴Vulnerability Details

OSV

ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities↗2025-09-03

▶

OSV

ruby2.7, ruby3.0, ruby3.1, ruby3.2 vulnerabilities↗2024-06-17

▶

GHSA

GHSA-63cq-cj6g-qfr2: An issue was discovered in Ruby 3↗2024-05-14

▶

OSV

CVE-2024-27282: An issue was discovered in Ruby 3↗2024-05-14

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2025-09-03

▶

Ubuntu

Ruby vulnerabilities↗2024-06-17

▶

Microsoft

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler it is possible to extract arbitrary heap data relative to the start of the text incl↗2024-05-14

▶

Red Hat

ruby: Arbitrary memory address read vulnerability with Regex search↗2024-04-23

▶

Debian

CVE-2024-27282: ruby2.7 - An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is ...↗2024

▶