mruby
Moderate fix1 remedy
cpe:2.3:a:mruby:mruby:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 3.4.0-rc2
mruby Heap-Based Buffer Overflow Vulnerability in Code Generation Component
Vulnerability
A heap-based buffer overflow vulnerability has been identified in mruby versions through 3.4.0-rc2. The issue arises in the 'scope_new' function within the 'mrbgems/mruby-compiler/core/codegen.c' file, specifically related to the nregs handler. This vulnerability requires local access to exploit and has been publicly disclosed, with an available proof-of-concept exploit.
Impact
Exploitation of this vulnerability leads to a heap-based buffer overflow, which can commonly result in arbitrary code execution or causing a program to crash.
Reproduction
The vulnerability can be reproduced using a fuzzing harness available in the 'oss-fuzz' repository. After compiling mruby with AddressSanitizer enabled, the fuzzer can be run with a crafted input that triggers the buffer overflow.
Remediation
Users are advised to update to the latest version of mruby, where this vulnerability has been patched.
Added: Jul 9, 2025, 2:15 AM
Updated: Jul 9, 2025, 2:15 AM
Vulnerability Rating
Custom Algorithm
spread
4.2impact
2.5exploitability
4.6remediation
7.7relevance
0.2threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.