CVE-2016-2338

Vulnerability

A heap buffer overflow vulnerability exists in the Psych::Emitter start_document function of Ruby versions 2.2.2 and 2.3.0 dev. The function allocates a heap buffer head based on the length of the tags array at line 166 using xcalloc. However, during the subsequent loop (lines 169-191), each element of the tags array is accessed and may be modified via Ruby object mutation (e.g., using a specially constructed object that increases the array size). This causes the loop to write beyond the originally allocated buffer [1].

Exploitation

An attacker must provide a specially crafted YAML tags array to the affected Ruby interpreter. The attacker controls the tags array passed to start_document. By including elements that are mutable objects (e.g., a custom Ruby object that modifies the tags array when accessed), the attacker can increase the array size after the initial allocation. This causes the loop to write to heap memory beyond the buffer, leading to heap overflow. The attack requires no authentication or special network position; it can be triggered by parsing attacker-supplied YAML [1].

Impact

Successful exploitation leads to a heap buffer overflow, which can corrupt adjacent heap memory. This can potentially allow an attacker to achieve arbitrary code execution with the privileges of the Ruby process. The primary impact is on the integrity and availability of the system, and may lead to information disclosure or complete compromise [1].

Mitigation

Ruby released a fix for this vulnerability. Users should upgrade to Ruby versions later than 2.2.2 and 2.3.0. The fix was included in Ruby 2.2.3, 2.3.1, and later releases. No workaround is available. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog [1].