Login Sign Up

CVE-2022-1106

9.1 CRITICAL
Denial of Service

📋 TL;DR

CVE-2022-1106 is a use-after-free vulnerability in mrb_vm_exec in mruby, a lightweight Ruby implementation. This vulnerability allows attackers to execute arbitrary code or cause denial of service by exploiting memory corruption. Anyone using mruby versions prior to 3.2 is affected.

💻 Affected Systems

Products:
  • mruby
Versions: All versions prior to 3.2
Operating Systems: All platforms running mruby
Default Config Vulnerable: ⚠️ Yes
Notes: Any application or system using mruby to execute Ruby code is vulnerable.

📦 What is this software?

Mruby by Mruby

View all CVEs affecting Mruby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service, potentially leading to data corruption or service disruption.

🟢

If Mitigated

Limited impact with proper memory protections and exploit mitigations like ASLR and DEP.

🌐 Internet-Facing: HIGH - If mruby processes untrusted input from external sources, exploitation is possible.
🏢 Internal Only: MEDIUM - Internal systems may still be vulnerable to insider threats or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Proof-of-concept exists in public repositories. Exploitation requires crafting malicious Ruby code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: mruby 3.2 and later

Vendor Advisory: https://github.com/mruby/mruby/commit/7f5a490d09f4d56801ac3a3e4e39e03e1471b44c

Restart Required: Yes

Instructions:

1. Update mruby to version 3.2 or later. 2. Recompile any applications using mruby. 3. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to prevent malicious Ruby code from reaching mruby interpreter.

Memory Protection

linux

Enable ASLR, DEP, and other memory protection mechanisms at OS level.

echo 2 > /proc/sys/kernel/randomize_va_space
sysctl -w kernel.exec-shield=1

🧯 If You Can't Patch

  • Isolate mruby applications in restricted network segments with minimal privileges.
  • Implement application allowlisting to prevent execution of unauthorized mruby processes.

🔍 How to Verify

Check if Vulnerable:

Check mruby version with 'mruby --version' or examine application dependencies.

Check Version:

mruby --version

Verify Fix Applied:

Confirm mruby version is 3.2 or later and verify the commit 7f5a490d09f4d56801ac3a3e4e39e03e1471b44c is included.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Memory access violation errors in system logs
  • Abnormal process termination

Network Indicators:

  • Unusual network connections from mruby processes
  • Suspicious payloads containing Ruby code

SIEM Query:

source="*mruby*" AND (event_type="crash" OR error="segmentation fault")

📊 Metadata

CVE ID: CVE-2022-1106
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-416
Published: March 27, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1106, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)