Login Sign Up

CVE-2022-28739

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability is a buffer over-read in Ruby's String-to-Float conversion functions (Kernel#Float and String#to_f). It allows attackers to read memory beyond allocated buffers, potentially exposing sensitive information or causing crashes. Affected users include anyone running vulnerable Ruby versions in applications that process untrusted string input.

💻 Affected Systems

Products:
  • Ruby
Versions: Ruby <2.6.10, 2.7.x <2.7.6, 3.x <3.0.4, 3.1.x <3.1.2
Operating Systems: All operating systems running affected Ruby versions
Default Config Vulnerable: ⚠️ Yes
Notes: All Ruby installations using vulnerable versions are affected when string-to-float conversion occurs.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Ruby by Ruby Lang

View all CVEs affecting Ruby →

Ruby by Ruby Lang

View all CVEs affecting Ruby →

Ruby by Ruby Lang

View all CVEs affecting Ruby →

Ruby by Ruby Lang

View all CVEs affecting Ruby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure leading to exposure of sensitive data like passwords, keys, or application memory contents; potential denial of service through application crashes.

🟠

Likely Case

Application crashes or instability when processing maliciously crafted string inputs; potential information leakage in memory contents.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing; crashes contained within affected processes.

🌐 Internet-Facing: MEDIUM - Applications accepting user input for float conversion could be exploited remotely, but requires specific input conditions.
🏢 Internal Only: LOW - Internal systems typically process trusted data, reducing exposure unless handling external inputs.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires crafting specific string inputs; public disclosures include technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Ruby 2.6.10, 2.7.6, 3.0.4, 3.1.2 or later

Vendor Advisory: https://www.ruby-lang.org/en/news/2022/04/12/buffer-overread-in-string-to-float-cve-2022-28739/

Restart Required: Yes

Instructions:

1. Update Ruby using your package manager (apt, yum, brew) or compile from source. 2. For RVM/rbenv: rvm install ruby-3.1.2 or rbenv install 3.1.2. 3. Restart all Ruby processes and applications.

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize all string inputs before float conversion

# Example Ruby validation
input = params[:float_input]
if input.match?(/\A\d+(\.\d+)?\z/)
  value = input.to_f
else
  # Handle invalid input
end

🧯 If You Can't Patch

  • Implement strict input validation for all string-to-float conversions
  • Isolate Ruby applications in containers or VMs with limited network access

🔍 How to Verify

Check if Vulnerable:

Run: ruby -v and compare with affected versions

Check Version:

ruby -v

Verify Fix Applied:

Confirm version is 2.6.10+, 2.7.6+, 3.0.4+, or 3.1.2+

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Unexpected memory access errors in logs

Network Indicators:

  • Unusual string patterns in input data

SIEM Query:

source="application.log" AND ("segmentation fault" OR "buffer over-read" OR "Float conversion error")

📊 Metadata

CVE ID: CVE-2022-28739
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-125
Published: May 9, 2022
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28739, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)