Skip to content

Write up CVE-2026-41316 #3916

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
k0kubun merged 1 commit into from
Apr 21, 2026
Merged

Write up CVE-2026-41316 #3916

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions en/news/_posts/2026-04-21-erb-cve-2026-41316.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
layout: news_post
title: "CVE-2026-41316: ERB @_init deserialization guard bypass via def_module / def_method / def_class"
author: "k0kubun"
translator:
date: 2026-04-21 07:51:00 +0000
tags: security
lang: en
---

We published security advisory for CVE-2026-41316.

## CVE-2026-41316: ERB @\_init deserialization guard bypass via def\_module / def\_method / def\_class

A deserialization vulnerability exists in ERB. This vulnerability has been assigned the CVE identifier [CVE-2026-41316](https://www.cve.org/CVERecord?id=CVE-2026-41316). We recommend upgrading the erb gem.

### Scope

Any Ruby application that calls `Marshal.load` on untrusted data AND has both `erb` and `activesupport` loaded is vulnerable to arbitrary code execution. This includes:

- **Ruby on Rails applications that import untrusted serialized data** -- any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC
- **Ruby tools that import untrusted serialized data** -- any tool using `Marshal.load` for caching, data import, or IPC
- **Legacy Rails apps** (pre-7.0) that still use Marshal for cookie session serialization

### Details

ERB implements an `@_init` guard to prevent code execution when ERB objects are reconstructed via `Marshal.load` on untrusted data. However, `ERB#def_method`, `ERB#def_module`, and `ERB#def_class` evaluate the template source without checking this guard, allowing an attacker who controls the data passed to `Marshal.load` to bypass the protection and execute arbitrary code. In particular, `def_module` takes no arguments, making it straightforward to invoke as part of a deserialization gadget chain.

Please update the erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later.

### Affected versions

* erb gem 6.0.3 or lower

### Credits

Thanks to [TristanInSec](https://github.com/TristanInSec) for discovering this issue.

## History

* Originally published at 2026-04-21 07:51:00 (UTC)