vulnerability
Amazon Linux AMI 2: CVE-2016-2338: Security patch for ruby (ALAS-2025-2990)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | May 20, 2026 | May 20, 2026 | May 20, 2026 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
May 20, 2026
Added
May 20, 2026
Modified
May 20, 2026
Description
An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.
Solutions
amazon-linux-ami-2-upgrade-rubyamazon-linux-ami-2-upgrade-ruby-debuginfoamazon-linux-ami-2-upgrade-ruby-develamazon-linux-ami-2-upgrade-ruby-docamazon-linux-ami-2-upgrade-ruby-irbamazon-linux-ami-2-upgrade-ruby-libsamazon-linux-ami-2-upgrade-ruby-tcltkamazon-linux-ami-2-upgrade-rubygem-bigdecimalamazon-linux-ami-2-upgrade-rubygem-io-consoleamazon-linux-ami-2-upgrade-rubygem-jsonamazon-linux-ami-2-upgrade-rubygem-minitestamazon-linux-ami-2-upgrade-rubygem-psychamazon-linux-ami-2-upgrade-rubygem-rakeamazon-linux-ami-2-upgrade-rubygem-rdocamazon-linux-ami-2-upgrade-rubygemsamazon-linux-ami-2-upgrade-rubygems-devel
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.