Unrated severityNVD Advisory· Published May 9, 2022· Updated Nov 4, 2025
CVE-2022-28739
CVE-2022-28739
Description
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.
Affected products
65- Ruby/Rubydescription
- osv-coords64 versionspkg:bitnami/rubypkg:bitnami/ruby-minpkg:rpm/almalinux/rubypkg:rpm/almalinux/ruby-default-gemspkg:rpm/almalinux/ruby-develpkg:rpm/almalinux/ruby-docpkg:rpm/almalinux/rubygem-abrtpkg:rpm/almalinux/rubygem-abrt-docpkg:rpm/almalinux/rubygem-bigdecimalpkg:rpm/almalinux/rubygem-bsonpkg:rpm/almalinux/rubygem-bson-docpkg:rpm/almalinux/rubygem-bundlerpkg:rpm/almalinux/rubygem-bundler-docpkg:rpm/almalinux/rubygem-did_you_meanpkg:rpm/almalinux/rubygem-io-consolepkg:rpm/almalinux/rubygem-irbpkg:rpm/almalinux/rubygem-jsonpkg:rpm/almalinux/rubygem-minitestpkg:rpm/almalinux/rubygem-mongopkg:rpm/almalinux/rubygem-mongo-docpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-net-telnetpkg:rpm/almalinux/rubygem-opensslpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/almalinux/rubygem-power_assertpkg:rpm/almalinux/rubygem-psychpkg:rpm/almalinux/rubygem-rakepkg:rpm/almalinux/rubygem-rbspkg:rpm/almalinux/rubygem-rdocpkg:rpm/almalinux/rubygem-rexmlpkg:rpm/almalinux/rubygem-rsspkg:rpm/almalinux/rubygemspkg:rpm/almalinux/rubygems-develpkg:rpm/almalinux/rubygem-test-unitpkg:rpm/almalinux/rubygem-typeprofpkg:rpm/almalinux/rubygem-xmlrpcpkg:rpm/almalinux/ruby-irbpkg:rpm/almalinux/ruby-libspkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.1
< 2.6.10+ 63 more
- (no CPE)range: < 2.6.10
- (no CPE)range: < 2.6.10
- (no CPE)range: < 2.7.6-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 2.7.6-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 2.7.6-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 2.7.6-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 0.4.0-1.module_el8.5.0+2595+0c654ebc
- (no CPE)range: < 0.4.0-1.module_el8.5.0+2595+0c654ebc
- (no CPE)range: < 2.0.0-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 4.8.1-1.module_el8.5.0+117+35d1289b
- (no CPE)range: < 4.8.1-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.2.24-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 1.16.1-4.module_el8.5.0+2625+ec418553
- (no CPE)range: < 1.2.0-111.module_el8.9.0+3635+c6f99506
- (no CPE)range: < 0.5.6-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 1.2.6-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 2.3.0-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 5.13.0-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.5.3-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.5.3-1.module_el8.5.0+2595+0c654ebc
- (no CPE)range: < 0.2.0-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 2.1.3-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 1.2.3-1.module_el8.5.0+2595+0c654ebc
- (no CPE)range: < 1.2.3-1.module_el8.5.0+2595+0c654ebc
- (no CPE)range: < 1.1.7-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 3.1.0-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 13.0.1-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 1.4.0-141.module_el8.6.0+3263+41cde0c0
- (no CPE)range: < 6.2.1.1-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 3.2.5-141.module_el8.6.0+3263+41cde0c0
- (no CPE)range: < 0.2.9-141.module_el8.6.0+3263+41cde0c0
- (no CPE)range: < 3.1.6-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 3.1.6-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 3.3.4-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 0.15.2-141.module_el8.6.0+3263+41cde0c0
- (no CPE)range: < 0.3.0-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 2.5.9-111.module_el8.9.0+3635+c6f99506
- (no CPE)range: < 2.7.6-138.module_el8.6.0+3263+904da987
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/29mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/30mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/42mitremailing-list
- hackerone.com/reports/1248108mitre
- lists.debian.org/debian-lts-announce/2023/06/msg00012.htmlmitre
- security-tracker.debian.org/tracker/CVE-2022-28739mitre
- security.gentoo.org/glsa/202401-27mitre
- security.netapp.com/advisory/ntap-20220624-0002/mitre
- support.apple.com/kb/HT213488mitre
- support.apple.com/kb/HT213493mitre
- support.apple.com/kb/HT213494mitre
- www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/mitre
News mentions
0No linked articles in our index yet.