Updated advisory posts against rubysec/ruby-advisory-db@851dcb1

Author: jasnow

advisories/_posts/2026-04-13-CVE-2026-41316.md

@@ -0,0 +1,41 @@
+---
+layout: advisory
+title: 'CVE-2026-41316 (erb): ERB has an @_init deserialization guard bypass via def_module
+  / def_method / def_class'
+comments: false
+categories:
+- erb
+advisory:
+  gem: erb
+  cve: 2026-41316
+  ghsa: q339-8rmv-2mhv
+  url: https://nvd.nist.gov/vuln/detail/CVE-2026-41316
+  title: ERB has an @_init deserialization guard bypass via def_module / def_method
+    / def_class
+  date: 2026-04-13
+  description: |-
+    ERB implements an @_init guard to prevent code execution when ERB
+    objects are reconstructed via Marshal.load on untrusted data. However,
+    ERB#def_method, ERB#def_module, and ERB#def_class evaluate the template
+    source without checking this guard, allowing an attacker who controls
+    the data passed to Marshal.load to bypass the protection and execute
+    arbitrary code. In particular, def_module takes no arguments, making
+    it straightforward to invoke as part of a deserialization gadget chain.
+
+    Please update the erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1,
+    6.0.4 or later.
+  cvss_v3: 8.1
+  patched_versions:
+  - "~> 4.0.3.1"
+  - "~> 4.0.4.1"
+  - "~> 6.0.1.1"
+  - ">= 6.0.4"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-41316
+    - https://www.ruby-lang.org/en/news/2026/04/21/ruby-4-0-3-released
+    - https://www.ruby-lang.org/en/news/2026/04/21/erb-cve-2026-41316
+    - https://github.com/ruby/erb/blob/master/NEWS.md
+    - https://github.com/ruby/erb/commit/9d017be4e375cdd058650ce528ee6adfead20cac
+    - https://github.com/advisories/GHSA-q339-8rmv-2mhv
+---