{"id":"CVE-2026-41316","summary":"ERB has an @_init deserialization guard bypass via def_module / def_method / def_class","details":"ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.","aliases":["GHSA-q339-8rmv-2mhv"],"modified":"2026-07-08T08:13:15.058514411Z","published":"2026-04-24T02:35:41.160Z","related":["ALSA-2026:18030","ALSA-2026:18039","ALSA-2026:18065","ALSA-2026:20596","ALSA-2026:20606","ALSA-2026:20614","CGA-p2rw-cf3p-xf66","openSUSE-SU-2026:10609-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41316.json","cwe_ids":["CWE-693"]},"references":[{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41316.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:18030"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:18039"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:18065"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20596"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20606"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20614"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20670"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26312"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26655"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:33462"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:33478"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:35834"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-41316"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41316.json"},{"type":"ADVISORY","url":"https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41316"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461369"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/erb","events":[{"introduced":"0"},{"fixed":"b6be29fd0e0f5089447d2f8d18140ae78258621d"},{"introduced":"08b544cdb898b7479f500480bafc1876d19f8bba"},{"fixed":"93450765b5319cfb552a3d9719df137e8fbb75e9"},{"introduced":"8626c822ea8009008fb5884cfc949cbcafbe9680"},{"fixed":"4d2b45e140044f464794c0463d838d5cb4bba96c"},{"introduced":"b68bfed6a8aee5e1732d108718560babe1e8a275"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"4.0.3.1"},{"introduced":"5.0.0"},{"fixed":"6.0.1.1"},{"introduced":"6.0.2"},{"fixed":"6.0.4"},{"introduced":"= 4.0.4"},{"last_affected":"= 4.0.4"}]}}],"versions":["= 4.0.4","v4.0.3","v6.0.1","v6.0.3","v6.0.0","v5.1.3","v5.1.2","v5.1.1","v5.1.0","v5.0.3","v5.0.2","v5.0.1","v5.0.0","v4.0.2","v4.0.1","v4.0.0","v3.0.0","v2.2.3","v2.2.2","v2.2.1","v2.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41316.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}