Cyber Resilience

CVE-2026-33210

HighUpdated

Published: 20 March 2026

Published
20 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0055 41.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33210 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Ruby-Lang Json. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33210 is a format string injection vulnerability (CWE-134) in Ruby JSON, a JSON implementation for the Ruby programming language. It affects versions from 2.14.0 up to but not including 2.15.2.1, 2.17.1.2, and 2.19.2. The flaw arises when parsing user-supplied JSON documents with the allow_duplicate_key: false option enabled, potentially leading to denial of service or information disclosure. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to its network accessibility and high impact on confidentiality and availability.

Remote attackers require no privileges or user interaction to exploit this issue. By supplying specially crafted JSON input to applications using the vulnerable Ruby JSON versions with the specified parsing option, adversaries can inject format strings, resulting in either denial of service through crashes or resource exhaustion, or leakage of sensitive memory contents.

The issue has been patched in Ruby JSON versions 2.15.2.1, 2.17.1.2, and 2.19.2. Security practitioners should prioritize upgrading affected dependencies to these versions. Additional details are available in the GitHub security advisory at https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3.

EU & UK References

Vulnerability details

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is…

more

used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote network-accessible format string flaw in JSON parsing library directly enables T1190 for initial access against public apps; memory disclosure supports T1212 for credential access; and induced crashes/resource exhaustion map to T1499.004 application exploitation for DoS. No RCE or other impacts indicated.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27788Same vendor: Ruby-Lang
CVE-2026-46727Same vendor: Ruby-Lang
CVE-2025-27219Same vendor: Ruby-Lang
CVE-2026-3509Shared CWE-134
CVE-2025-30269Shared CWE-134
CVE-2025-40600Shared CWE-134
CVE-2025-27220Same vendor: Ruby-Lang
CVE-2026-42258Same vendor: Ruby-Lang
CVE-2023-53966Shared CWE-134
CVE-2024-45324Shared CWE-134

Affected Assets

ruby-lang
json
2.14.0 — 2.15.2.1 · 2.16.0 — 2.17.1.2 · 2.18.0 — 2.19.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely patching of affected Ruby JSON library versions to eliminate the format string injection flaw.

prevent

Mitigates exploitation by validating and sanitizing user-supplied JSON inputs before parsing with the vulnerable allow_duplicate_key: false option.

prevent

Prevents information disclosure and denial-of-service from format string injection by implementing secure error handling that avoids unsafe formatting operations.

References