CVE-2026-41316: ERB @_init deserialization guard bypass via def_module / def_method / def_class

Posted by k0kubun on 21 Apr 2026

We published security advisory for CVE-2026-41316.

CVE-2026-41316: ERB @_init deserialization guard bypass via def_module / def_method / def_class

A deserialization vulnerability exists in ERB. This vulnerability has been assigned the CVE identifier CVE-2026-41316. We recommend upgrading the erb gem.

Scope

Any Ruby application that calls Marshal.load on untrusted data AND has both erb and activesupport loaded is vulnerable to arbitrary code execution. This includes:

• Ruby on Rails applications that import untrusted serialized data – any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC
• Ruby tools that import untrusted serialized data – any tool using Marshal.load for caching, data import, or IPC
• Legacy Rails apps (pre-7.0) that still use Marshal for cookie session serialization

Details

ERB implements an @_init guard to prevent code execution when ERB objects are reconstructed via Marshal.load on untrusted data. However, ERB#def_method, ERB#def_module, and ERB#def_class evaluate the template source without checking this guard, allowing an attacker who controls the data passed to Marshal.load to bypass the protection and execute arbitrary code. In particular, def_module takes no arguments, making it straightforward to invoke as part of a deserialization gadget chain.

Please update the erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later.

Affected versions

• erb gem 6.0.3 or lower

Credits

Thanks to TristanInSec for discovering this issue.

History

• Originally published at 2026-04-21 07:51:00 (UTC)