DEBIAN-CVE-2025-13120

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-13120

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13120.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-13120

Upstream

CVE-2025-13120

Published

2025-11-13T16:15:51.100Z

Modified

2025-12-05T12:32:32.006075Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability has been found in mruby up to 3.4.0. This vulnerability affects the function sort_cmp of the file src/array.c. Such manipulation leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is eb398971bfb43c38db3e04528b68ac9a7ce509bc. It is advisable to implement a patch to correct this issue.

References

https://security-tracker.debian.org/tracker/CVE-2025-13120

Affected packages

Debian:11 / mruby

Package

Name: mruby
Purl: pkg:deb/debian/mruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1.2-3

3.*

3.0.0-1

3.0.0-2

3.0.0-3

3.0.0-4

3.1.0-1

3.1.0-2

3.1.0-3

3.2.0-1

3.2.0-2

3.3.0~rc2-1

3.3.0-1

3.4.0-1~exp1

3.4.0-1~exp2

3.4.0-1

3.4.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13120.json"

Debian:12 / mruby

Package

Name: mruby
Purl: pkg:deb/debian/mruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.0-3

3.2.0-1

3.2.0-2

3.3.0~rc2-1

3.3.0-1

3.4.0-1~exp1

3.4.0-1~exp2

3.4.0-1

3.4.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13120.json"

Debian:13 / mruby

Package

Name: mruby
Purl: pkg:deb/debian/mruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.0-1

3.4.0-1~exp1

3.4.0-1~exp2

3.4.0-1

3.4.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13120.json"

Debian:14 / mruby

Package

Name: mruby
Purl: pkg:deb/debian/mruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.0-1

3.4.0-1~exp1

3.4.0-1~exp2

3.4.0-1

3.4.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13120.json"