CVE-2026-1979Improper Restriction of Operations within the Bounds of a Memory Buffer in Mruby

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-416Use After Free6 documents6 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 92.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
MrubyDebian MrubyMsrc Azl3 Nghttp2 1.61.0-2 ON Azure Linux 3.0+4 more
Timeline
PublishedFeb 6
Latest updateFeb 10

Description

A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages8 packages

NVDmruby/mruby3.4.0
CVEListV5mruby/mruby5 versions+4
debiandebian/mruby

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
CVE-2026-1979: A flaw has been found in mruby up to 32026-02-06
GHSA
GHSA-gxgq-rpmr-r8xr: A flaw has been found in mruby up to 32026-02-06

📋Vendor Advisories

2
Microsoft
mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free2026-02-10
Debian
CVE-2026-1979: mruby - A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exe...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-1979 Impact, Exploitability, and Mitigation Steps | Wiz