ALPINE-CVE-2022-28739

ALPINE-CVE-2022-28739 PUBLISHED CVSS 7.5 HIGH

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Alpine:v3.21	ruby	0, 0, 0
Alpine:v3.17	ruby	2.2.4-r0, 3.1.1-r0, 3.0.3-r0
Alpine:v3.23	ruby	0, 0, 0
Alpine:v3.19	ruby	2.6.3-r1, 2.6.3-r0, 2.5.5-r0
Alpine:v3.18	ruby	0, 1.8.7_p160-r2, 1.8.7_p160-r3
Alpine:v3.16	ruby	3.0.3-r0, 2.7.4-r2, 2.7.4-r1
Alpine:v3.20	ruby	0, 0, 0
Alpine:v3.12	ruby	2.0.0, 0, 1.8.7_p160-r3
Alpine:v3.15	ruby	*, 3.0.3-r0, 3.0.2-r0
Alpine:v3.14	ruby	1.8.7_p174-r2, 2.7.5-r0, 2.7.4-r0
Alpine:v3.13	ruby	2.7.5-r0, 2.7.4-r0, 2.7.3-r0
Alpine:v3.22	ruby	0, 0, 0

Timeline

May 9, 2022 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2022-28739 advisory

Open in Interactive Console →