PatchSiren cyber security CVE debrief
CVE-2026-27820 ruby CVE debrief
CVE-2026-27820 is a low-severity memory corruption issue in Ruby’s zlib interface. The flaw is in Zlib::GzipReader: zstream_buffer_ungets prepends caller-provided bytes ahead of already-produced output, but it does not always ensure the underlying Ruby string has enough capacity before memmove shifts the existing data. The CVE was published on 2026-04-16 and later modified on 2026-05-21. Fixed releases are 3.0.1, 3.1.2, and 3.2.3.
- Vendor
- ruby
- Product
- zlib
- CVSS
- LOW 1.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-16
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-04-16
- Advisory updated
- 2026-05-21
Who should care
Application and platform teams that ship Ruby applications using the zlib gem, especially where GzipReader processes attacker-controlled or otherwise untrusted gzip input. Package maintainers and security teams should also check whether downstream bundles pin affected versions.
Technical summary
The issue is a buffer overflow in the Ruby zlib wrapper, specifically in Zlib::GzipReader’s zstream_buffer_ungets path. According to the vendor and NVD records, the function can prepend caller-provided bytes ahead of existing output without first guaranteeing enough backing-string capacity, so the subsequent memmove can operate on an undersized buffer and corrupt memory. NVD lists affected ranges as versions up to 3.0.0, 3.1.0 through 3.1.1, and 3.2.0 through 3.2.1; fixes are in 3.0.1, 3.1.2, and 3.2.3. The published CVSS v4.0 vector is low overall severity but indicates potential integrity impact and no need for user interaction.
Defensive priority
Low overall based on the published score, but upgrade priority becomes higher for environments that routinely decompress untrusted data or that cannot easily isolate Ruby processes. The safest response is to move to a fixed release as soon as practical.
Recommended defensive actions
- Upgrade Ruby zlib to 3.0.1, 3.1.2, or 3.2.3, depending on your release line.
- Inventory applications and containers for bundled or transitive zlib versions that fall within the affected ranges.
- Treat any use of GzipReader on untrusted input as higher priority for remediation and validation.
- If immediate upgrading is not possible, backport the vendor fix through your normal package-maintenance process.
- Monitor Ruby services that use gzip decompression for unexpected crashes or memory-corruption symptoms until patched.
Evidence notes
All substantive claims here come from the supplied official records: the CVE/NVD metadata, the vendor advisory, and the linked report reference. The NVD record marks the vulnerability as analyzed and lists the affected CPE ranges and CVSS vector. The vendor advisory states the bug is a buffer overflow in Zlib::GzipReader and identifies the fixed versions. CVE publication date used for timing context: 2026-04-16; last modified: 2026-05-21.
Official resources
-
CVE-2026-27820 CVE record
CVE.org
-
CVE-2026-27820 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
[email protected] - Permissions Required
Publicly disclosed on 2026-04-16 and updated in NVD on 2026-05-21. No KEV listing is present in the provided data.