From 9ead4c3653e5d717f014586c0144897d1a3b9ed8 Mon Sep 17 00:00:00 2001 From: Takashi Kokubun Date: Tue, 21 Apr 2026 17:00:58 +0900 Subject: [PATCH] Write up CVE-2026-41316 --- .../_posts/2026-04-21-erb-cve-2026-41316.md | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 en/news/_posts/2026-04-21-erb-cve-2026-41316.md diff --git a/en/news/_posts/2026-04-21-erb-cve-2026-41316.md b/en/news/_posts/2026-04-21-erb-cve-2026-41316.md new file mode 100644 index 0000000000..66adbff0ae --- /dev/null +++ b/en/news/_posts/2026-04-21-erb-cve-2026-41316.md @@ -0,0 +1,41 @@ +--- +layout: news_post +title: "CVE-2026-41316: ERB @_init deserialization guard bypass via def_module / def_method / def_class" +author: "k0kubun" +translator: +date: 2026-04-21 07:51:00 +0000 +tags: security +lang: en +--- + +We published security advisory for CVE-2026-41316. + +## CVE-2026-41316: ERB @\_init deserialization guard bypass via def\_module / def\_method / def\_class + +A deserialization vulnerability exists in ERB. This vulnerability has been assigned the CVE identifier [CVE-2026-41316](https://www.cve.org/CVERecord?id=CVE-2026-41316). We recommend upgrading the erb gem. + +### Scope + +Any Ruby application that calls `Marshal.load` on untrusted data AND has both `erb` and `activesupport` loaded is vulnerable to arbitrary code execution. This includes: + +- **Ruby on Rails applications that import untrusted serialized data** -- any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC +- **Ruby tools that import untrusted serialized data** -- any tool using `Marshal.load` for caching, data import, or IPC +- **Legacy Rails apps** (pre-7.0) that still use Marshal for cookie session serialization + +### Details + +ERB implements an `@_init` guard to prevent code execution when ERB objects are reconstructed via `Marshal.load` on untrusted data. However, `ERB#def_method`, `ERB#def_module`, and `ERB#def_class` evaluate the template source without checking this guard, allowing an attacker who controls the data passed to `Marshal.load` to bypass the protection and execute arbitrary code. In particular, `def_module` takes no arguments, making it straightforward to invoke as part of a deserialization gadget chain. + +Please update the erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later. + +### Affected versions + +* erb gem 6.0.3 or lower + +### Credits + +Thanks to [TristanInSec](https://github.com/TristanInSec) for discovering this issue. + +## History + +* Originally published at 2026-04-21 07:51:00 (UTC)