CVE-2026-38976 in mrubycinfo

Summary

by MITRE • 07/06/2026

mrubyc through 3.4.1 was found to contain a NULL pointer dereference in src/vm.c in op_super() / OP_SUPER due to a missing runtime guard for top-level super.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability identified in mruby through version 3.4.1 represents a critical null pointer dereference flaw within the virtual machine implementation that could lead to arbitrary code execution or denial of service conditions. This issue manifests specifically in the src/vm.c file at the op_super() function and OP_SUPER operation, where the software fails to properly validate runtime conditions before executing super method calls. The root cause stems from an insufficient guard mechanism that should prevent execution when dealing with top-level super calls, creating a scenario where a null reference is dereferenced during normal program flow.

The technical implementation flaw occurs within the virtual machine's bytecode execution engine where the OP_SUPER instruction handler does not properly check if the current execution context contains valid superclass information before attempting to access it. This missing validation creates an exploitable condition where malicious input or crafted bytecode can trigger the null pointer dereference, potentially causing the entire application to crash or allowing attackers to manipulate memory access patterns. The vulnerability directly maps to CWE-476 which describes NULL Pointer Dereference issues in software implementations.

From an operational perspective, this vulnerability poses significant risks to systems running applications that utilize mruby as their scripting engine, particularly those handling untrusted input or dynamic code generation. Attackers could exploit this weakness by crafting specific bytecode sequences that would cause the virtual machine to attempt super method resolution on invalid contexts, leading to application termination or potential information disclosure. The impact extends beyond simple crashes since such vulnerabilities can be leveraged in more sophisticated attack chains where the null pointer dereference might be used as a stepping stone for privilege escalation or further exploitation.

The security implications of this flaw align with ATT&CK technique T1059.007 which covers script-based execution, particularly when attackers can manipulate scripting environments to achieve unauthorized code execution. Organizations relying on mruby for embedded systems, web applications, or any environment processing dynamic content should consider this vulnerability as a high-priority concern given its potential to affect runtime behavior and system stability. The lack of proper input validation in the virtual machine's super method handling creates an attack surface that could be exploited to compromise entire application stacks.

Mitigation strategies should include immediate patching to version 3.4.2 or later where the missing runtime guard has been implemented, along with implementing additional input sanitization measures for any code executed within mruby environments. System administrators should also consider deploying runtime monitoring solutions that can detect anomalous execution patterns associated with null pointer dereference attempts. The fix typically involves adding proper context validation checks before allowing super method resolution to proceed, ensuring that all superclass references are properly initialized before memory access operations occur. Organizations should also review their codebases for similar patterns in custom implementations and consider implementing defensive programming practices such as mandatory null checks and robust error handling mechanisms to prevent similar issues from occurring in other components of their software infrastructure.

Responsible

MITRE

Reservation

04/06/2026

Disclosure

07/06/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!