CVE-2026-54522 (msgpack): DFVULN-839 - Use-After-Free in MessagePack::Buffer#clear Enables Cross-Buffer Disclosure

DFVULN-839 - Use-After-Free in MessagePack::Buffer#clear Enables Cross-Buffer Disclosure

Published: June 09, 2026

SECURITY IDENTIFIERS

CVE: CVE-2026-54522 (NVD)
GHSA: GHSA-4mrv-5p47-p938

GEM

msgpack

PATCHED VERSIONS

>= 1.8.2

DESCRIPTION

Summary

MessagePack::Buffer#clear shifts out every chunk and returns its 4 KiB rmem page to the shared pool, but does not reset the buffer's rmem cursor (rmem_last, rmem_end, rmem_owner). The next write sees "unused rmem space" left over from the freed page and hands back a slice of memory that has already been returned to the pool. A second MessagePack::Buffer then re-acquires that same page, so reading the cleared-and-rewritten buffer discloses the second buffer's bytes — a same-process use-after-free with cross-buffer information disclosure (and the symmetric write-corruption).

https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54522
https://github.com/msgpack/msgpack-ruby/blob/master/ChangeLog
https://github.com/msgpack/msgpack-ruby/compare/v1.8.1...v1.8.2
https://github.com/msgpack/msgpack-ruby/security/advisories/GHSA-4mrv-5p47-p938

RubySec