PT-2022-2610 · Ruby+8 · Ruby+8

Piao

Published

2022-04-12

Updated

2025-12-12

CVE-2022-28738

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Ruby versions 3.0.0 through 3.0.3 Ruby versions 3.1.0 through 3.1.1

Description A double free was found in the Regexp compiler. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations. The issue is related to the implementation of the Regexp class and can lead to a denial of service using specially crafted Regexp objects.

Recommendations For Ruby versions 3.0.0 through 3.0.3, update to version 3.0.4 or later. For Ruby versions 3.1.0 through 3.1.1, update to version 3.1.2 or later. As a temporary workaround, consider restricting the creation of Regexp objects from untrusted user input until a patch is available.

Exploit

Fix

Buffer Overflow

Double Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119CWE-415

Related Identifiers

ALSA-2022:6450

ALSA-2022:6585

ALT-PU-2022-2026

ALT-PU-2022-2699

ALT-PU-2022-2953

ALT-PU-2023-4264

ALT-PU-2024-7811

BDU:2022-03068

BIT-RUBY-2022-28738

BIT-RUBY-MIN-2022-28738

CESA-2022_6450

CVE-2022-28738

MGASA-2022-0143

OESA-2022-1700

OPENSUSE-SU-2024:12006-1

OPENSUSE-SU-2024:12712-1

OPENSUSE-SU-2024:13623-1

OPENSUSE-SU-2025:14621-1

OPENSUSE-SU-2025:15819-1

RHSA-2022:6450

RHSA-2022:6585

RHSA-2022:6855

RHSA-2022_6450

RHSA-2022_6585

RLSA-2022:6450

RLSA-2022:6585

USN-5462-1

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Ruby

Ubuntu

PT-2022-2610 · Ruby+8 · Ruby+8

CVE-2022-28738

Weakness Enumeration

Related Identifiers

Affected Products

References · 83