CVE-2026-38976

mruby · mrubyc

A NULL pointer dereference in mrubyc's src/vm.c in the op_super() function allows for potential denial of service due to a missing runtime guard for top-level super.

Executive summary

A NULL pointer dereference vulnerability in mrubyc up to version 3.4.1 poses a significant risk of service disruption via denial of service.

Vulnerability

This is a NULL pointer dereference vulnerability occurring in the src/vm.c file within the op_super() function. The flaw is triggered by a missing runtime guard for top-level super, allowing an unauthenticated attacker to cause a crash.

Business impact

Successful exploitation of this vulnerability results in a complete denial of service (DoS) for the affected software. With a CVSS score of 7.5 (High), this represents a significant risk to operational continuity, as an attacker can easily disrupt system operations without requiring any privileges.

Remediation

Immediate Action: Apply the fix provided in the developer's commit: https://github.com/hayat01sh1da/mrubyc/commit/c4aa2a06bfdd13a0f1ae5165c5760a2530314a42.

Proactive Monitoring: Monitor system logs for frequent service restarts or unexpected application crashes that may indicate exploitation attempts.

Compensating Controls: Deploy memory protection mechanisms or container-level resource limits to mitigate the impact of service crashes on the wider infrastructure.

Exploitation status

Public Exploit Available: true

Analyst recommendation

The severity of this flaw, coupled with the availability of public exploits, necessitates urgent attention. Administrators should verify their current version of mrubyc and apply the referenced patch immediately to prevent potential denial of service attacks.