This update addresses two critical vulnerabilities in Ruby: a format string injection in the JSON gem (CVE-2026-33210, CVSS 9.1 CRITICAL) leading to denial of service or information disclosure, and a deserialization bypass in ERB (CVE-2026-41316, CVSS 8.1 HIGH) allowing arbitrary code execution. The JSON vulnerability affects ruby-lang/json versions 2.14.0 through 2.15.2.0, 2.16.0 through 2.17.1.1, and 2.18.0 through 2.19.1, which are fixed in versions 2.15.2.1, 2.17.1.2, and 2.19.2 respectively. Red Hat has rated this update as Important for the ruby:4.0 module on RHEL 9.
Red Hat Product Errata RHSA-2026:20596 - Security Advisory Issued: 2026-05-26 Updated: 2026-05-26 RHSA-2026:20596 - Security Advisory Overview Updated Packages Synopsis Important: ruby:4.0 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for the ruby:4.0 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix(es): ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection (CVE-2026-33210) erb: ERB: Arbitrary code execution via deserialization bypass (CVE-2026-41316) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x Fixes BZ - 2449871 - CVE-2026-33210 ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection BZ - 2461369 - CVE-2026-41316 erb: ERB: Arbitrary code execution via deserialization bypass RHEL-171933 - ruby:4.0/ruby: Rebase to the latest Ruby 4.0 release [rhel-9.8.z] CVEs CVE-2026-33210 CVE-2026-41316 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM ruby-4.0.3-32.module+el9.8.0+24280+122d8796.src.rpm SHA-256: 45c9c3d7def193ee299d0b496117dd5312efd070745e8d95face0bf2993a908d rubygem-mysql2-0.5.7-1.module+el9.8.0+24280+122d8796.src.rpm SHA-256: 6d092f9fb1253d0b796a4acc829d1c1be40803b0a7a059bc468b1129cd3420ed rubygem-pg-1.6.3-1.module+el9.8.0+24280+122d8796.src.rpm SHA-256: e6937a771062c8f5f10c0ca194f703d5e12407ae6c9a073e38f080a6ee4d5d95 x86_64 ruby-4.0.3-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: f17c075ff659b66ec9e88611abaa60612db8cd7e792ddea04ee9eec7f13873f5 ruby-4.0.3-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: b391f048a4b862ec518d6ad658b0dcf97568f4cd9f1f35dad4a1a0e7c7aa2802 ruby-bundled-gems-4.0.3-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: 9ebde3a609682481f4c4c58b427a2698dc9095b935f0a5f9bbb2ed04af3f2eb5 ruby-bundled-gems-4.0.3-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 61f10aaa576a1e40868060430119c39b848c6854df103fc6c0f674e5aaeeab3a ruby-bundled-gems-debuginfo-4.0.3-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: 7556816dc71872a6fbdb456322627593fd1b9f058334e6c97da5733df8000acb ruby-bundled-gems-debuginfo-4.0.3-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: a28db2bab181701cac421098b407e9970b29729e30dd5a91a198a9b13d8208a0 ruby-debuginfo-4.0.3-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: c0e38da32bf01aeb36543396eaa60c4763cb5c35fb9fb1b071d4f5b7bb2db38a ruby-debuginfo-4.0.3-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 35e66b42a05f9c0eccd8b1a2cdfbb0872c37f1f2f479e573835b08d0c3733f8b ruby-debugsource-4.0.3-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: 4d51f73cac4e08ffec74fc6e863c864efc31b53c8c0efe35ea46b1cd31cbd7b2 ruby-debugsource-4.0.3-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 13f7c95ad2193761d9fad167e2f19d453e7d2270e70360e17fd3c8a32ca0983d ruby-default-gems-4.0.3-32.module+el9.8.0+24280+122d8796.noarch.rpm SHA-256: 7e7845d016ba02ab5e1d2369cfcad66dfae41263a4e57e8cf82a713587a960e9 ruby-devel-4.0.3-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: d67e3e89926d4dfa9babef9907c9c1d6f4ccc2c6685f52afcf8a5eb0556366cb ruby-devel-4.0.3-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 16782cc5168df93a3f97cf7b553c6154c37ddcd208dc34afab175e5a7d07a023 ruby-doc-4.0.3-32.module+el9.8.0+24280+122d8796.noarch.rpm SHA-256: a95d1cab6c1a3a76c99f6624e1968ec605964b1c3963cba10364517c3852d3d2 ruby-libs-4.0.3-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: 6bcfd6d1bbb57eb16c5a6c52618e440c4b3669050020cf785329aabd4acab1ef ruby-libs-4.0.3-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 2edbc8585336c8b734d514e28eff510408c37012169efcaa92c4c6d131cf971e ruby-libs-debuginfo-4.0.3-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: 278c03cdc201c5eec3e45970f6c601ddf2bf581d5bd866ba4ac26e95bd2c99e8 ruby-libs-debuginfo-4.0.3-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 72d8d0cc51814f9db5b2b08302dd260687d841f355016ea651f5db27cede805d rubygem-bigdecimal-4.0.1-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: b66172412f10d5c6cb767e43afd62e3f666e9ea7faf4cd850a9e5695e1ac9e4c rubygem-bigdecimal-4.0.1-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: a9d382b9de555ac65feaef15883957fc5bc20abe0fd94ca2a2c618254c32c6f6 rubygem-bigdecimal-debuginfo-4.0.1-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: 2abb95bfb3d4cfa3b29edd4eb77f65029b382dbb4d619b7271b4235d65714419 rubygem-bigdecimal-debuginfo-4.0.1-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 5ba5c3ddded2addddc6e79bad843ae4be7683ec35a454c50dc13e5dfcb4e35c0 rubygem-bundler-4.0.6-32.module+el9.8.0+24280+122d8796.noarch.rpm SHA-256: 42ffca37ea789a8984995b50ccdb3290b4bdaf59293fda4bb3104ede610bb57a rubygem-io-console-0.8.2-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: ac91bd208c6a6d103e52db646d9aa76d34199b1b503d7b253ee3da911f925f22 rubygem-io-console-0.8.2-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 934521cf9293cbd56614bd6cc8ba2f8a8ae048b9bbbe570e9a202c447bae6a59 rubygem-io-console-debuginfo-0.8.2-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: d203cd2ee414d6876593f67346b41b0c945bcbd95c36fcd6ff68a234423476a5 rubygem-io-console-debuginfo-0.8.2-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 5e899f4d696f5f532c9228fcb02fac7ce682e72c849a46265269cd53d4413b50 rubygem-irb-1.16.0-32.module+el9.8.0+24280+122d8796.noarch.rpm SHA-256: ffd036e74e79eabcbfe2bfe976fe62745304029a48528d16eff174472746ec31 rubygem-json-2.18.0-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: dd42d550ede2b71b6bc917403b5a3517e8a323896aaf1a065429c1bc86d72f0f rubygem-json-2.18.0-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 06eaff103cc284117ae2f2916c0b86a334c0c06a8d6a19128208deaded050fa0 rubygem-json-debuginfo-2.18.0-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: dbd01886afebefe03d2631f43bd5479026248a3f739e4904ddeaeedbc51cd317 rubygem-json-debuginfo-2.18.0-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: e0cc6000e639588c15d8607bd5d0654e1124725e439e3e0212fad69c84ee55e3 rubygem-minitest-6.0.0-32.module+el9.8.0+24280+122d8796.noarch.rpm SHA-256: eb3c72348796d23d8be9b649b421e9c8c4f44c36f624aca7ce5467ca563aa4e1 rubygem-mysql2-0.5.7-1.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 8eb3a8dd74dc5da757f2964bb01fcfaa6431d50a29e00fc20cc712e28a3e1853 rubygem-mysql2-debuginfo-0.5.7-1.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 69bf70b574e005bc47eec8cb4265dfe90886a436a29eccd703fc5081f799d243 rubygem-mysql2-debugsource-0.5.7-1.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 3e94f61463b24dbfc7d721ac659aa542c99b5350703a7a5f5a8ef6744ce63360 rubygem-mysql2-doc-0.5.7-1.module+el9.8.0+24280+122d8796.noarch.rpm SHA-256: 031be01075051f492a9865d135822e00ebab4d2f2f180f6e54580b1b4e20711f rubygem-pg-1.6.3-1.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: d89cfb53dedee498839a15cfd90ed85be0761549fffede17d589f70bdfe34cbb rubygem-pg-debuginfo-1.6.3-1.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 82b604e25189ef5125534163992964500b2648fd8300cf9c27c2f2a71615c731 rubygem-pg-debugsource-1.6.3-1.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: 5f7276c00b7b5e503e9aa61c4b6275d60e53343c5b426271294d198703feea89 rubygem-pg-doc-1.6.3-1.module+el9.8.0+24280+122d8796.noarch.rpm SHA-256: 64742d102bd62c0ebe70f4f98b228e33b3de3e521ed99df12e099ed998001849 rubygem-power_assert-3.0.1-32.module+el9.8.0+24280+122d8796.noarch.rpm SHA-256: f7d7aa87d075b8682c62b2542b1cacc2107a464545a18dfde6d5b064904e30b1 rubygem-psych-5.3.1-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: 217cf049704487cdcb08877e86be38e73a29dd60f503d05e8c1ecb35bfa6663e rubygem-psych-5.3.1-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: ce2820dede91845a84cead50d2f2f90b9067ccf25c0d5c68a869cc57832e8b44 rubygem-psych-debuginfo-5.3.1-32.module+el9.8.0+24280+122d8796.i686.rpm SHA-256: 0af4b0428858fc9c76ec1370b35335e5669e963c06934048d072eb4120d0b8ee rubygem-psych-debuginfo-5.3.1-32.module+el9.8.0+24280+122d8796.x86_64.rpm SHA-256: eb23167e17