This advisory covers two security vulnerabilities in ruby4.0 on Red Hat Enterprise Linux 10 and related products. CVE-2026-33210 is a format string injection vulnerability in the Ruby JSON library that can cause denial of service or information disclosure. CVE-2026-41316 is an arbitrary code execution vulnerability in ERB caused by a deserialization bypass. Red Hat has released updated ruby4.0 packages that fix these issues. The advisory references Red Hat's errata RHSA-2026:20606 and provides package updates for multiple architectures. The vulnerabilities have been rated as having an Important security impact by Red Hat. No CVSS scores are provided in the advisory, and no exploits in the wild are currently known.

Successful exploitation of CVE-2026-33210 could allow an attacker to cause denial of service or disclose information via format string injection in the Ruby JSON library. CVE-2026-41316 could allow arbitrary code execution through a deserialization bypass in ERB. Both vulnerabilities could lead to significant security risks including system compromise or data leakage on affected Red Hat Enterprise Linux 10 systems running ruby4.0. The advisory rates the overall impact as Important (high severity). No known active exploitation has been reported.

Red Hat has released updated ruby4.0 packages that address these vulnerabilities. Users should apply the ruby4.0 security update for Red Hat Enterprise Linux 10 as detailed in Red Hat advisory RHSA-2026:20606 and the referenced article https://access.redhat.com/articles/11258. Applying these official updates is the recommended and effective mitigation. There is no indication from the vendor advisory that additional workarounds or mitigations are required beyond applying the update.