CVE-2025-13120Improper Restriction of Operations within the Bounds of a Memory Buffer in Mruby

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-416Use After Free5 documents5 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 98.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
MrubyDebian MrubyMsrc Azl3 Rust 1.75.0-21 ON Azure Linux 3.0+2 more
Timeline
PublishedNov 13

Description

A vulnerability has been found in mruby up to 3.4.0. This vulnerability affects the function sort_cmp of the file src/array.c. Such manipulation leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is eb398971bfb43c38db3e04528b68ac9a7ce509bc. It is advisable to implement a patch to correct this issue.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages6 packages

NVDmruby/mruby3.4.0
CVEListV5mruby/mruby5 versions+4
debiandebian/mruby

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-j383-q79v-268x: A vulnerability has been found in mruby up to 32025-11-13
OSV
CVE-2025-13120: A vulnerability has been found in mruby up to 32025-11-13

📋Vendor Advisories

2
Microsoft
mruby array.c sort_cmp use after free2025-11-11
Debian
CVE-2025-13120: mruby - A vulnerability has been found in mruby up to 3.4.0. This vulnerability affects ...2025