January 6, 2026

Santa brought a memory peek

Article URL →HN comments →

Vulnerability in Ruby that has existed since 2002

Ruby’s 20-year bug crashes Christmas—devs split: ‘rewrite it’ vs ‘meh, it’s fine’

TLDR: A researcher found a long-hidden Ruby bug that can read past a string, but it’s in a rarely used feature and a fix is underway. Comments split between “C strikes again—rewrite in Rust” and “edge case, chill,” with jokes about a Christmas ghost in Ruby.

Ruby’s big Christmas release came with a ghost of Christmas past: a bug that’s apparently been hiding in Ruby since 2002. A researcher revisiting old quirks found a way to make a rarely used array “packing” trick read more memory than it should—basically, a peek where you shouldn’t. The crowd reaction? Equal parts shock and eye-roll. One top comment bluntly captured it: “20+ years… C’s signed vs unsigned conversions are nasty.” Others reminded everyone that this feature is obscure and hard to abuse, and the fix is already in motion via PR #15763. So yes, it’s real—but no, your average app probably isn’t on fire.

Then the drama kicked off. The “rewrite it in Rust” chorus arrived right on time, clashing with the “calm down, this is an edge case” camp. Old-school Rubyists shrugged, noting this quirky “pack” tool borrowed from Perl that most devs never touch. Newer devs turned it into comedy: “X marks the spot” (a directive that can move backwards), and “It’s not a bug, it’s a vintage feature.” Meanwhile, the security crowd waved the C-language boogeyman flag, blaming the classic number-handling snafu: a huge positive number flipping negative under the hood. The hottest thread argued whether this proves C is unsafe by default or just a reminder to audit dusty corners. Mood: startled, snarky, and ready to merge the fix.

Key Points

  • Memory disclosure vulnerability found in Ruby MRI’s Array#pack due to signed/unsigned conversion causing negative repeat counts.
  • Issue affects Ruby 4.0.0 and likely earlier versions back to Ruby 1.6.7 (2002).
  • Using the X directive with a negative repeat count grows the string, enabling out-of-bounds memory reads.
  • A guard in rb_str_set_len limits leak size; string capacity rounds to the next power of two, influencing leak behavior.
  • Fix progress is being tracked in PR #15763; the affected method is rarely used and attacker input control is uncommon.

Hottest takes

"Crazy that this bug has been around for 20+ years" — matltc
"Rewrite it in Rust already, C keeps haunting Christmas" — rust_please
"Pack? Haven’t touched that since Perl memes—probably fine" — old_timer_rb

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.