Red Hat Security Advisory: ruby:4.0 security update
This advisory addresses two security vulnerabilities in Ruby 4. 0 as packaged for Red Hat Enterprise Linux 9. The first vulnerability (CVE-2026-33210) involves a format string injection in the Ruby JSON module that could lead to denial of service or information disclosure. The second vulnerability (CVE-2026-41316) affects the ERB module and allows arbitrary code execution via a deserialization bypass. Red Hat has released an important security update rebasing Ruby 4. 0 to the latest release to fix these issues. The update is available for multiple architectures and Red Hat Enterprise Linux variants. No known exploits in the wild have been reported. Users should apply the update as directed by Red Hat to remediate these vulnerabilities.
AI Analysis
Technical Summary
Two vulnerabilities affect Ruby 4.0 in Red Hat Enterprise Linux 9: CVE-2026-33210 is a format string injection in the ruby/json module that can cause denial of service or information disclosure. CVE-2026-41316 is a deserialization bypass in the erb module that enables arbitrary code execution. Red Hat Product Security has issued an important security advisory (RHSA-2026:20596) providing updated Ruby 4.0 packages rebased to the latest upstream release to address these issues. The advisory covers multiple architectures including x86_64, s390x, ppc64le, and aarch64. The update is available via Red Hat's standard update channels. No CVSS scores are provided in the advisory, and no exploits are known to be active in the wild.
Potential Impact
The vulnerabilities could allow attackers to cause denial of service or disclose sensitive information via the ruby/json format string injection (CVE-2026-33210). The deserialization bypass in ERB (CVE-2026-41316) could permit arbitrary code execution, posing a significant security risk. These issues affect Ruby 4.0 as distributed by Red Hat Enterprise Linux 9. No active exploitation has been reported, but the potential impact of arbitrary code execution is high.
Mitigation Recommendations
Red Hat has released updated Ruby 4.0 packages that fix these vulnerabilities. Users should apply the security update RHSA-2026:20596 promptly following Red Hat's guidance at https://access.redhat.com/articles/11258. The update rebases Ruby 4.0 to the latest upstream release containing the fixes. No additional mitigation steps are indicated by Red Hat beyond applying the official update.
Red Hat Security Advisory: ruby:4.0 security update
Description
This advisory addresses two security vulnerabilities in Ruby 4. 0 as packaged for Red Hat Enterprise Linux 9. The first vulnerability (CVE-2026-33210) involves a format string injection in the Ruby JSON module that could lead to denial of service or information disclosure. The second vulnerability (CVE-2026-41316) affects the ERB module and allows arbitrary code execution via a deserialization bypass. Red Hat has released an important security update rebasing Ruby 4. 0 to the latest release to fix these issues. The update is available for multiple architectures and Red Hat Enterprise Linux variants. No known exploits in the wild have been reported. Users should apply the update as directed by Red Hat to remediate these vulnerabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Two vulnerabilities affect Ruby 4.0 in Red Hat Enterprise Linux 9: CVE-2026-33210 is a format string injection in the ruby/json module that can cause denial of service or information disclosure. CVE-2026-41316 is a deserialization bypass in the erb module that enables arbitrary code execution. Red Hat Product Security has issued an important security advisory (RHSA-2026:20596) providing updated Ruby 4.0 packages rebased to the latest upstream release to address these issues. The advisory covers multiple architectures including x86_64, s390x, ppc64le, and aarch64. The update is available via Red Hat's standard update channels. No CVSS scores are provided in the advisory, and no exploits are known to be active in the wild.
Potential Impact
The vulnerabilities could allow attackers to cause denial of service or disclose sensitive information via the ruby/json format string injection (CVE-2026-33210). The deserialization bypass in ERB (CVE-2026-41316) could permit arbitrary code execution, posing a significant security risk. These issues affect Ruby 4.0 as distributed by Red Hat Enterprise Linux 9. No active exploitation has been reported, but the potential impact of arbitrary code execution is high.
Mitigation Recommendations
Red Hat has released updated Ruby 4.0 packages that fix these vulnerabilities. Users should apply the security update RHSA-2026:20596 promptly following Red Hat's guidance at https://access.redhat.com/articles/11258. The update rebases Ruby 4.0 to the latest upstream release containing the fixes. No additional mitigation steps are indicated by Red Hat beyond applying the official update.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:20596
- Cve Count
- 2
- Additional Cves
- ["CVE-2026-41316"]
- Cvss Version
- null
Threat ID: 6a160977e29bf47b506425e5
Added to database: 5/26/2026, 8:58:31 PM
Last enriched: 5/26/2026, 11:36:07 PM
Last updated: 5/27/2026, 4:59:19 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.