CVE-2026-54905 | concurrent-ruby is a modern concurrency tools for Ruby. Prio… | CVSS 2.0 LOW

Description

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.

Metadata

CVE ID: CVE-2026-54905
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-16 13:49 UTC
Published: 2026-06-24 15:42 UTC
Last updated: 2026-06-24 16:41 UTC
Primary CWE: CWE-128
CWE-128: Wrap-around Error
Vendor / Product: ruby-concurrency / concurrent-ruby
Sources: cve.org · NVD

Severity & Metrics

2.0 LOW CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
ruby-concurrency	concurrent-ruby	—	< 1.3.7

Weakness (CWE)

CWE	Source	Description
CWE-128	cna	CWE-128: Wrap-around Error

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.0	LOW	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

References (1)

https://github.com/ruby-concurrency/concurrent-ruby/security/advisories/GHSA-wv3x-4vxv-whpp https://github.com/ruby-concurrency/concurrent-ruby/security/advisories/GHSA-wv3x-4vxv-whpp