CVE-2018-8778: Buffer under-read in String#unpack

There is a buffer under-read vulnerability in String#unpack method. This vulnerability has been assigned the CVE identifier CVE-2018-8778.


String#unpack receives format specifiers as its parameter, and can be specified the position of parsing the data by the specifier @. If a big number is passed with @, the number is treated as the negative value, and out-of-buffer read is occurred. So, if a script accepts an external input as the argument of String#unpack, the attacker can read data on heaps.

All users running an affected release should upgrade immediately.

Affected Versions

  • Ruby 2.2 series: 2.2.9 and earlier
  • Ruby 2.3 series: 2.3.6 and earlier
  • Ruby 2.4 series: 2.4.3 and earlier
  • Ruby 2.5 series: 2.5.0 and earlier
  • Ruby 2.6 series: 2.6.0-preview1
  • prior to trunk revision r62992


Thanks to aerodudrizzt for reporting the issue.


  • Originally published at 2018-03-28 14:00:00 (UTC)