Misc #22005
closed
Missing information about CVE on cve.org
Description
The CVE-2026-27820 was fixed and disclosed more than one month ago:
https://www.ruby-lang.org/en/news/2026/03/05/buffer-overflow-zlib-cve-2026-27820/
However, there is still no public information on https://www.cve.org/CVERecord?id=CVE-2026-27820 . Could this be fixed please?
BTW the same situation was for CVE-2025-61594, where the information was not there for months. This points to a gap in a security release process. Could the process be improved so the information is disclosed in timely manner?
Updated by hsbt (Hiroshi SHIBATA) 24 days ago
We recently switched our CVE Numbering Authority from MITRE to GitHub, which may be causing this. Previously, MITRE would update cve.org records on their own after we published advisories on www.ruby-lang.org, but it seems GitHub may not do the same automatically.
We'll look into it, though I'm not yet sure we can fully resolve this on our end.
Updated by hsbt (Hiroshi SHIBATA) 23 days ago
ยท Edited
- Status changed from Open to Closed
- Assignee set to hsbt (Hiroshi SHIBATA)
I published https://github.com/ruby/zlib/security/advisories/GHSA-g857-hhfv-j68w yesterday.
After that, https://www.cve.org/CVERecord?id=CVE-2026-27820 is available now.
It seems that CVEs issued from GitHub are not published on cve.org unless the GHSA is also published. From now on, I will publish the GHSA at the same time.
Thank you for pointing this.
Updated by vo.x (Vit Ondruch) 23 days ago
Thanks. I appreciate that ๐
Updated by vo.x (Vit Ondruch) 23 days ago
One more question. What is the process with H1 disclosure? Because to me it seems that the H1 report is still private despite being referenced in the GHSA