Ruby, Deserialization RCE, CVE-2026-41316 (High)

Listen to this Post

This vulnerability bypasses the `@_init` guard introduced in ERB to prevent `Marshal.load` deserialization attacks. During initialization, `ERBinitialize` sets @_init = self.class.singleton_class. The `ERBresult` and `ERBrun` methods check `@_init.equal?(self.class.singleton_class)` before eval(@src). When an ERB object is reconstructed via Marshal.load, `@_init` becomes `nil` or an attacker-controlled value, preventing `ERBresult` from executing. However, the methods ERBdef_method, ERBdef_module, and `ERBdef_class` reach `eval(@src)` without checking @_init. Both `def_module` and `def_class` accept zero arguments, making them callable through deserialization gadget chains. Additionally, `def_method` wraps `@src` in a method definition, but an attacker can set `@src` to start with end\n, closing the method early and causing subsequent code to execute immediately. This bypass works in all ERB versions from 2.2.0 through 6.0.3. By combining this with `ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy` as a dispatch gadget, an attacker can trigger `ERBdef_module` via Marshal.load, leading to arbitrary code execution. The chain works because `Marshal.load` reconstructs a Hash with the proxy as a key, calling `.hash` on it, which triggers `method_missing` and dispatches to ERBdef_module.

dailycve form:

Platform: Ruby
Version: ERB 2.2.0-6.0.3
Vulnerability: @_init guard bypass
Severity: High
date: 2026-04-21

Prediction: Already Patched

What Undercode Say:

Analytics

Check vulnerable version
gem list erb
Update to patched version
gem update erb -v 6.0.4
Bundle update
bundle update erb
Verify patch
ruby -e "require 'erb'; puts ERB.instance_method(:def_method).source_location"

Exploit:

  1. Allocate ERB object and set @src to “end\nsystem(‘id’)\ndef x”
  2. Craft ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy with @instance pointing to the ERB object and @method set to :def_module

3. Marshal.dump the proxy inside a Hash

  1. Marshal.load triggers Hash key hash calculation -> method_missing -> ERBdef_module -> def_method -> eval(src) -> code execution

Protection from this CVE

Upgrade erb gem to 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later. Avoid Marshal.load on untrusted data. Use JSON or YAML.safe_load instead. If Marshal is necessary, use a whitelist or sandbox.

Impact

Remote code execution (RCE). An attacker can execute arbitrary system commands, leading to full server compromise, data theft, or denial of service.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top