Description
mrubyc through 3.4.1 was found to contain a NULL pointer dereference in src/vm.c in op_super() / OP_SUPER due to a missing runtime guard for top-level super.
Published: 2026-07-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference occurs in the mrubyc virtual machine implementation when executing the OP_SUPER instruction, due to an absent runtime guard for top‑level super. The flaw allows an improperly formed super expression to trigger a dereference of a null pointer, leading to an application crash or memory corruption. This weakness aligns with CWE‑476: NULL Pointer Dereference and can compromise the reliability of any service leveraging mrubyc.

Affected Systems

Versions of mrubyc up to and including 3.4.1 are affected. No explicit vendor or product list is provided beyond the mrubyc project; the vulnerability exists in the public source repository and applies to all installations running these versions.

Risk and Exploitability

The exploit probability (EPSS) score is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly documented exploits at this time. The CVSS score is not supplied, so the inherent severity remains unclear, but a NULL pointer dereference can cause a process to terminate or, in some environments, may be leveraged for arbitrary code execution if an attacker can control the offending pointer. The likely attack vector is inferred to be local or remotely via a malicious mrubyc script, but exact conditions are not detailed in the description.

Generated by OpenCVE AI on July 7, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch provided in GitHub commit c4aa2a06bfdd13a0f1ae5165c5760a2530314a42, which adds the missing guard for top‑level super in src/vm.c.
  • If the patch cannot be applied, modify mrubyc source by introducing a guard in src/vm.c that verifies the super pointer before dereferencing.
  • After applying the fix, restart all services or applications that rely on mrubyc and monitor for unexpected crashes to ensure stability.

Generated by OpenCVE AI on July 7, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Title NULL Pointer Dereference in mrubyc VM op_super
Weaknesses CWE-476

Mon, 06 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description mrubyc through 3.4.1 was found to contain a NULL pointer dereference in src/vm.c in op_super() / OP_SUPER due to a missing runtime guard for top-level super.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-06T21:24:50.602Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38976

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T06:30:16Z

Weaknesses