CVE-2022-28738: Double free in Regexp compilation
Posted by mame on 12 Apr 2022
A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned the CVE identifier CVE-2022-28738. We strongly recommend upgrading Ruby.
Details
Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a “double free” vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.
Please update Ruby to 3.0.4, or 3.1.2.
Affected versions
- ruby 3.0.3 or prior
- ruby 3.1.1 or prior
Note that ruby 2.6 series and 2.7 series are not affected.
Credits
Thanks to piao for discovering this issue.
History
- Originally published at 2022-04-12 12:00:00 (UTC)
Recent News
Ruby 3.2.11 Released
Ruby 3.2.11 has been released. This release includes an update to the zlib gem addressing CVE-2026-27820.
Posted by hsbt on 27 Mar 2026
Ruby 3.3.11 Released
Ruby 3.3.11 has been released. This release includes an update to the zlib gem addressing CVE-2026-27820, along with some bug fixes.
Posted by hsbt on 26 Mar 2026
Ruby 4.0.2 Released
Ruby 4.0.2 has been released.
Posted by k0kubun on 16 Mar 2026
Ruby 3.4.9 Released
Ruby 3.4.9 has been released.
Posted by nagachika on 11 Mar 2026