Critical severity9.8NVD Advisory· Published Jan 6, 2017· Updated May 6, 2026

CVE-2016-2339

Description

An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.

Affected products

Ruby Lang/Ruby2 versions
cpe:2.3:a:ruby-lang:ruby:2.2.2:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:ruby-lang:ruby:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*
Ruby/Rubyv5
Range: 2.3.0 dev

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.talosintelligence.com/reports/TALOS-2016-0034/nvdExploitTechnical DescriptionThird Party AdvisoryVDB Entry
www.securityfocus.com/bid/91234nvd
lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000