My requested changes to PR #1039 (#1081)

jasnow · huda-kh · web-flow · commit 851dcb1827e5 · 2026-05-31T09:27:40.000-04:00
* Add CVE-2026-41316 * Updated both advisory to normal conventions * Update CVE-2026-41316 date to 2026-04-13 --------- Co-authored-by: Huda <huda@haesemathematics.com.au>
diff --git a/gems/erb/CVE-2026-41316.yml b/gems/erb/CVE-2026-41316.yml
@@ -0,0 +1,33 @@
+---
+gem: erb
+cve: 2026-41316
+ghsa: q339-8rmv-2mhv
+url: https://nvd.nist.gov/vuln/detail/CVE-2026-41316
+title: ERB has an @_init deserialization guard bypass via
+  def_module / def_method / def_class
+date: 2026-04-13
+description: |
+  ERB implements an @_init guard to prevent code execution when ERB
+  objects are reconstructed via Marshal.load on untrusted data. However,
+  ERB#def_method, ERB#def_module, and ERB#def_class evaluate the template
+  source without checking this guard, allowing an attacker who controls
+  the data passed to Marshal.load to bypass the protection and execute
+  arbitrary code. In particular, def_module takes no arguments, making
+  it straightforward to invoke as part of a deserialization gadget chain.
+
+  Please update the erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1,
+  6.0.4 or later.
+cvss_v3: 8.1
+patched_versions:
+  - "~> 4.0.3.1"
+  - "~> 4.0.4.1"
+  - "~> 6.0.1.1"
+  - ">= 6.0.4"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-41316
+    - https://www.ruby-lang.org/en/news/2026/04/21/ruby-4-0-3-released
+    - https://www.ruby-lang.org/en/news/2026/04/21/erb-cve-2026-41316
+    - https://github.com/ruby/erb/blob/master/NEWS.md
+    - https://github.com/ruby/erb/commit/9d017be4e375cdd058650ce528ee6adfead20cac
+    - https://github.com/advisories/GHSA-q339-8rmv-2mhv
diff --git a/rubies/ruby/CVE-2026-41316.yml b/rubies/ruby/CVE-2026-41316.yml
@@ -0,0 +1,30 @@
+---
+engine: ruby
+cve: 2026-41316
+ghsa: q339-8rmv-2mhv
+url: https://nvd.nist.gov/vuln/detail/CVE-2026-41316
+title: ERB has an @_init deserialization guard bypass via
+  def_module / def_method / def_class
+date: 2026-04-21
+description: |
+  ERB implements an @_init guard to prevent code execution when ERB
+  objects are reconstructed via Marshal.load on untrusted data. However,
+  ERB#def_method, ERB#def_module, and ERB#def_class evaluate the template
+  source without checking this guard, allowing an attacker who controls
+  the data passed to Marshal.load to bypass the protection and execute
+  arbitrary code. In particular, def_module takes no arguments, making
+  it straightforward to invoke as part of a deserialization gadget chain.
+
+  Please update to Ruby 4.0.3 which "only contains ERB 6.0.1.1,
+  which fixes CVE-2026-41316."
+cvss_v3: 8.1
+patched_versions:
+  - ">= 4.0.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-41316
+    - https://www.ruby-lang.org/en/news/2026/04/21/ruby-4-0-3-released
+    - https://www.ruby-lang.org/en/news/2026/04/21/erb-cve-2026-41316
+    - https://github.com/ruby/erb/blob/master/NEWS.md
+    - https://github.com/ruby/erb/commit/9d017be4e375cdd058650ce528ee6adfead20cac
+    - https://github.com/advisories/GHSA-q339-8rmv-2mhv
