CVE-2008-2376

Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.

Published: 2008-07-08 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2008-2376 is rated Moderate Risk (55.8/100): CVSS High severity, with medium exploitation likelihood (EPSS 3.60%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2008-2376

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 11.36% 3.60% -7.76%
2 2025-12-01 11.27% 11.36% +0.09%
3 2025-09-02 11.27%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-2376

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
10.0 6.4 [email protected]

Weakness enumeration for CVE-2008-2376

OS Trackers for CVE-2008-2376

vendor priority summary link
gentoo normal CVE-2008-2376: 1 GLSA(s) (200812-17), 1 atom(s) (dev-lang/ruby); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2008-2376
redhat medium https://access.redhat.com/security/cve/CVE-2008-2376
ubuntu low CVE-2008-2376 low priority: Ubuntu including 2 source packages (ruby1.8, ruby1.9), 24 status rows across 12 suites (dapper, feisty, gutsy, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, upstream): released 10, not-affected 7, ignored 4, DNE 3. https://ubuntu.com/security/CVE-2008-2376

Affected software / configurations for CVE-2008-2376

Vendor Product Version Raw CPE
ruby-lang ruby 1.8.6.230 cpe:2.3:a:ruby-lang:ruby:1.8.6.230:*:*:*:*:*:*:*

References for CVE-2008-2376

URL Tags
http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html
http://secunia.com/advisories/30927 Vendor Advisory
http://secunia.com/advisories/31006
http://secunia.com/advisories/31062
http://secunia.com/advisories/31090
http://secunia.com/advisories/31181
http://secunia.com/advisories/31256
http://secunia.com/advisories/32219
http://secunia.com/advisories/33178
http://security.gentoo.org/glsa/glsa-200812-17.xml
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17756
http://wiki.rpath.com/Advisories:rPSA-2008-0218
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0218
http://www.debian.org/security/2008/dsa-1612
http://www.debian.org/security/2008/dsa-1618
http://www.mandriva.com/security/advisories?name=MDVSA-2008:140
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142
http://www.openwall.com/lists/oss-security/2008/07/02/3
http://www.redhat.com/support/errata/RHSA-2008-0561.html
http://www.securityfocus.com/archive/1/494104/100/0/threaded
http://www.us-cert.gov/cas/techalerts/TA08-260A.html US Government Resource
http://www.vupen.com/english/advisories/2008/2584
https://issues.rpath.com/browse/RPL-2639
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9863
https://usn.ubuntu.com/651-1/
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00112.html
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00161.html
cvelogic Threat Intelligence