VIR Vulnerability Intelligence Relay

CVE-2017-14064

critical
Published 2017-08-31 · Modified 2026-05-13
CVSS v3
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
7.5
VIR risk
9.8

Description

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-14064.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://bugs.ruby-lang.org/issues/13853

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debian8.0affected
debian debian9.0affected
redhat rhel7.0affected
ubuntu ubuntu14.04affected
ubuntu ubuntu16.04affected
ubuntu ubuntu17.10affected

Application impact
VendorProductVersionsFixed
ruby ruby-langruby{"endIncluding":"2.2.7"}
ruby ruby-langruby2.3.0
ruby ruby-langruby2.3.1
ruby ruby-langruby2.3.2
ruby ruby-langruby2.3.3
ruby ruby-langruby2.3.4
ruby ruby-langruby2.4.0
ruby ruby-langruby2.4.1

References

CWEs

CWE-119

Verify integrity in audit chain (admin only). AS-IS.