CVE-2018-16396

An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.

Published: Nov 16, 2018
Updated: Nov 9, 2025
CVE: CVE-2018-16396
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
ruby-lang / ruby	2.6.0-preview1	2.6.0-preview1.x
ruby-lang / ruby	2.6.0-preview2	2.6.0-preview2.x
ruby-lang / ruby	2.3.0	2.3.7.x
ruby-lang / ruby	2.4.0	2.4.4.x
ruby-lang / ruby	2.5.0	2.5.1.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	18.10	18.10.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
redhat / enterprise_linux	7.4	7.4.x
redhat / enterprise_linux	7.0	7.0.x
redhat / enterprise_linux	6.0	6.0.x
redhat / enterprise_linux	7.5	7.5.x
redhat / enterprise_linux	7.6	7.6.x

Vulnerability Database

300,214

CVE-2018-16396

Deep Security Visibility Without the Complexity