Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.062
EPSS Ranking 92.7%