CVE-2022-28738: Double free in Regexp compilation

A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned the CVE identifier CVE-2022-28738. We strongly recommend upgrading Ruby.

Details

Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a “double free” vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.

Please update Ruby to 3.0.4, or 3.1.2.

Affected versions

  • ruby 3.0.3 or prior
  • ruby 3.1.1 or prior

Note that ruby 2.6 series and 2.7 series are not affected.

Credits

Thanks to piao for discovering this issue.

History

  • Originally published at 2022-04-12 12:00:00 (UTC)