CVE-2026-1979 - Vulnerability Details

- mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free

Description

A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue.

Published: 2026-02-06

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is in the JMPNOT-to-JMPIF Optimization function mrb_vm_exec and allows a use‑after‑free condition when specific code manipulations are executed. Attacking code can corrupt memory after the freed resource is referenced, which may result in unintended behavior or compromise program integrity. The vulnerability is limited to local execution and does not expose remote code execution directly.

Affected Systems

mruby versions up to 3.4.0 are affected. The bug resides in the core vm.c component and has been publicly reported with a fix committed at e50f15c1c6e131fa7934355eb02b8173b13df415. Any installation of mruby 3.4.0 or earlier that has not applied this patch is vulnerable.

Risk and Exploitability

The CVSS score of 4.8 reflects a moderate risk. EPSS indicates a low exploitation probability (<1%). The vulnerability is not listed in the CISA KEV catalog. The exploit is local, requiring the attacker to run code on the host, and currently no remote exploitation vectors are documented. The published exploit demonstrates that a local attacker can trigger the use‑after‑free, potentially leading to memory corruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

mruby

affected

Version	Status	Constraints
`3.0`	affected	—
`3.1`	affected	—
`3.2`	affected	—
`3.3`	affected	—
`3.4.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:mruby:mruby:*:*:*:*:*:ruby:*:*

No data.

Vendor	Product	Confidence	Versions
Mruby	Mruby	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patch identified by commit e50f15c1c6e131fa7934355eb02b8173b13df415 or upgrade to a later mruby release that includes this fix.
Recompile mruby with the advised patch to ensure the optimization function no longer dereferences freed memory.
Limit local access to untrusted code execution sites or run mruby in a sandboxed environment to minimize exposure from local attackers.

Generated by OpenCVE AI on April 18, 2026 at 13:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/mruby/mruby/
https://github.com/mruby/mruby/issues/6701
https://github.com/mruby/mruby/issues/6701#issue-3802609843
https://github.com/sysfce2/mruby/commit/e50f15c1c6e131fa7934355eb02b8173b13df415
https://vuldb.com/?ctiid.344501
https://vuldb.com/?id.344501
https://vuldb.com/?submit.743377

History

Sat, 28 Feb 2026 00:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mruby:mruby::::::ruby::*

Mon, 23 Feb 2026 09:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mruby:mruby::::::::

Fri, 06 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mruby Mruby mruby
Vendors & Products		Mruby Mruby mruby

Fri, 06 Feb 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue.
Title		mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free
Weaknesses		CWE-119 CWE-416
References		https://github.com/mruby/mruby/ https://github.com/mruby/mruby/issues/6701 https://github.com/mruby/mruby/issues/6701#issue-3802609843 https://github.com/sysfce2/mruby/commit/e50f15c1c6e131fa7934355eb02b8173b13df415 https://vuldb.com/?ctiid.344501 https://vuldb.com/?id.344501 https://vuldb.com/?submit.743377
Metrics		cvssV2_0 `{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Mruby Mruby

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-06T04:32:09.200Z

Updated: 2026-02-23T09:21:06.088Z

Reserved: 2026-02-05T13:44:19.662Z

Link: CVE-2026-1979

Vulnrichment

Updated: 2026-02-06T20:26:18.193Z

NVD

Status : Analyzed

Published: 2026-02-06T05:16:12.667

Modified: 2026-02-28T00:33:39.090

Link: CVE-2026-1979

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object