CVE-2026-38976
mruby · mrubyc
A NULL pointer dereference in mrubyc's src/vm.c in the op_super() function allows for potential denial of service due to a missing runtime guard for top-level super.
Executive summary
A NULL pointer dereference vulnerability in mrubyc up to version 3.4.1 poses a significant risk of service disruption via denial of service.
Vulnerability
This is a NULL pointer dereference vulnerability occurring in the src/vm.c file within the op_super() function. The flaw is triggered by a missing runtime guard for top-level super, allowing an unauthenticated attacker to cause a crash.
Business impact
Successful exploitation of this vulnerability results in a complete denial of service (DoS) for the affected software. With a CVSS score of 7.5 (High), this represents a significant risk to operational continuity, as an attacker can easily disrupt system operations without requiring any privileges.
Remediation
Immediate Action: Apply the fix provided in the developer's commit: https://github.com/hayat01sh1da/mrubyc/commit/c4aa2a06bfdd13a0f1ae5165c5760a2530314a42.
Proactive Monitoring: Monitor system logs for frequent service restarts or unexpected application crashes that may indicate exploitation attempts.
Compensating Controls: Deploy memory protection mechanisms or container-level resource limits to mitigate the impact of service crashes on the wider infrastructure.
Exploitation status
Public Exploit Available: true
Analyst recommendation
The severity of this flaw, coupled with the availability of public exploits, necessitates urgent attention. Administrators should verify their current version of mrubyc and apply the referenced patch immediately to prevent potential denial of service attacks.