Vulnerability Key Information Summary Vulnerability Type: Use-after-realloc (use after reallocation) Affected Function: Issue Description: When using , the heap sort algorithm may capture original data pointers during the comparison process. If the array is modified (e.g., by calling ) after this, the heap sort continues to use the outdated pointer, leading to invalid entries being passed to , which in turn triggers , causing a crash. Trigger Condition: Sorting an array larger than using a custom block that modifies the array during comparisons. For example, the Ruby fuzzer input causes the array storage to shrink or be reallocated, while the heap sort still uses the old pointer, resulting in a crash. Hash Name: mruby_fuzzer Crash Input: Crash Output: Includes stack trace and memory address information, indicating a segmentation fault (SEGV) caused by accessing invalid memory addresses. Fix Patch: - Add or update code in to refresh the array pointer after each comparison, heapify operation, etc., during sorting. See specific patch code. Key Discussion: - tim-becker believes the root cause is invalid data, with the trigger condition being the use of a reallocated array. - matz points out that the function raises an exception when , and such use-after-free scenarios should not occur. He suggests the fix patch does not address the root cause. - tim-becker further investigates and concludes the root cause is more accurately described as “use-after-realloc”. Resolution Status: The issue was resolved and closed in commit .