Key Information Vulnerability Description Issue Description: In (specifically implemented as ), heap sort initially captures a pointer to the original data (variable ) and continues using this pointer during element access. However, if the user-provided comparator block (e.g., the method) modifies the array, causing underlying storage to shrink or reallocate, the sorting routine does not detect these allocation changes. As a result, it continues using the outdated pointer, accessing invalid entries in , then calls with garbage data, leading to a crash. Trigger Conditions Trigger Conditions: The vulnerability is triggered when sorting an array larger than , and during the comparison phase, a custom block modifies the array. Specifically, Ruby fuzzer inputs like cause the function to shrink or reallocate the array's storage, while the heap sort continues using the old pointer, resulting in a use-after-free crash. Information on the Fix Reproducible Input: Crash Output: Debugger output includes undefined behavior warnings and minimal stack traces, indicating a segmentation fault in . Fix Commit: The heap sort implementation was modified to refresh the array pointer after any potential modification, and array length checks were added during sorting to detect and handle allocation changes. Discussion and Validation Community Feedback: The submitter and project maintainers discussed the root cause and fix approach, ultimately confirming the effectiveness of the patch and submitting it. Status: The issue was marked as Closed, and the fix was implemented and merged via commit .