GHSA-fmx4-26r3-wxpf · Severity: high · Ecosystem: rubygems — Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption
CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns.
Conclusion & alert: CVE-2024-22051 is rated Moderate Risk (58.6/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.45%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 12.05% | 1.45% | -10.61% |
| 2 | 2026-04-27 | 7.13% | 12.05% | +4.92% |
| 3 | 2025-12-20 | — | 7.13% | — |
Full EPSS history (16 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-fmx4-26r3-wxpf · Severity: high · Ecosystem: rubygems — Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2024-22051 not yet assigned priority: Debian including 1 source packages (ruby-commonmarker), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1. | https://security-tracker.debian.org/tracker/CVE-2024-22051 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2024-22051 |
ubuntu
|
medium | CVE-2024-22051 medium priority: Ubuntu including 1 source packages (ruby-commonmarker), 12 status rows across 12 suites (bionic, focal, jammy, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 6, ignored 3, needs-triage 2, released 1. | https://ubuntu.com/security/CVE-2024-22051 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| github | cmark-gfm | < 0.28.3.gfm.21 | cpe:2.3:a:github:cmark-gfm:*:*:*:*:*:*:*:* |
| github | cmark-gfm | >= 0.29.0.gfm.0, < 0.29.0.gfm.3 | cpe:2.3:a:github:cmark-gfm:*:*:*:*:*:*:*:* |
| gjtorikian | commonmarker | < 0.23.4 | cpe:2.3:a:gjtorikian:commonmarker:*:*:*:*:*:ruby:*:* |
| URL | Tags |
|---|---|
| https://github.com/advisories/GHSA-fmx4-26r3-wxpf | Third Party Advisory |
| https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x | Not Applicable |
| https://github.com/gjtorikian/commonmarker/commit/ab4504fd17460627a6ab255bc3c63e8e5fc6aed3 | Patch |
| https://github.com/gjtorikian/commonmarker/security/advisories/GHSA-fmx4-26r3-wxpf | Vendor Advisory |
| https://vulncheck.com/advisories/vc-advisory-GHSA-fmx4-26r3-wxpf | Third Party Advisory |