A integer underflow was found in the way String#unpack decodes the unpacking format. An attacker, able to control the unpack format, could use this flaw to disclose arbitrary parts of the application’s memory.
Vulnerable code when String#unpack's argument is attacker controlled.
In the unpack format string argemument, manual sanitization can be done by preventing the number following '@' to overflow to a negative number. See <https://dev.to/sqreenio/an-in-depth-look-at-cve-2018-8878-or-why-integer-overflows-are-still-a-thing-1n01> for mitigation details.