CVE-2015-7551

high

Published 2016-03-24 · Modified 2026-05-06

CVSS v3

8.4

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

4.6

VIR risk

8.4

Description

The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.

Predictions

Exploit likelihood

80%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://support.apple.com/HT206167

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2015-7551.html

OS impact

OS	Version	Status	Fixed in
sles		affected
macos		affected

Application impact

Vendor	Product	Versions
ruby-lang	ruby	`{"endIncluding":"2.0.0-p647"}`
ruby-lang	ruby	`2.1.0`
ruby-lang	ruby	`2.1.1`
ruby-lang	ruby	`2.1.2`
ruby-lang	ruby	`2.1.3`
ruby-lang	ruby	`2.1.4`
ruby-lang	ruby	`2.1.5`
ruby-lang	ruby	`2.1.6`
ruby-lang	ruby	`2.1.7`
ruby-lang	ruby	`2.2.0`
ruby-lang	ruby	`2.2.1`
ruby-lang	ruby	`2.2.2`
ruby-lang	ruby	`2.2.3`

References

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.