CVE-2026-41316: ERB Gem Marshal Deserialization Flaw Bypasses Ruby 2.7 Security Guard, Enables RCE

A critical security flaw in Ruby's `erb` default gem exposes applications to remote code execution through a Marshal deserialization bypass. Tracked as CVE-2026-41316 with a CVSS score of 8.1 (HIGH), the vulnerability allows an attacker who can supply untrusted data to `Marshal.load` in a Ruby process with `erb` loaded to circumvent protections introduced in Ruby 2.7.0. The flaw specifically defeats the `@_init` instance-variable guard that was added to `ERB#result` and `ERB#run` to block code execution when an `ERB` object is reconstructed via serialization.

The vulnerability enters target systems through a dependency chain involving `mummer4 → yaggo → ruby`, which bundles `erb` version 6.0.1 as a default gem. This transmission vector means the attack surface extends beyond direct `erb` usage to any application pulling in these dependencies. The CVSS vector indicates network-reachable attack path (`AV:N`) with high attack complexity (`AC:H`), requiring attacker-controlled data to reach the vulnerable `Marshal.load` call. No privileges or user interaction are required, and the impact reaches full confidentiality, integrity, and availability compromise within the affected component.

Organizations running Ruby applications with the implicated dependency chain face elevated risk of arbitrary code execution if untrusted serialized data can reach the vulnerable code path. Developers should audit their dependency graphs for `mummer4` and `yaggo`, evaluate whether their environments expose `Marshal.load` to untrusted input, and monitor for patches addressing this specific bypass. The Ruby security team will likely release an updated `erb` gem version; until then, input validation on serialized data and network perimeter controls represent the primary mitigations available.