CVE-2026-54904
Received Received - Intake
Float::NAN Handling Flaw in concurrent-ruby

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-54904
EUVD
EUVD-2026-38810
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
concurrent-ruby concurrent_ruby 1.3.7
ruby-concurrency concurrent-ruby to 1.3.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The CVE-2026-54904 vulnerability affects the concurrent-ruby gem, specifically versions prior to 1.3.7. It occurs in the AtomicReference#update method when the stored value is Float::NAN. Because in Ruby Float::NAN is not equal to itself, the compare_and_set method always fails, causing the update method to enter a permanent busy retry loop. This means the update block is executed repeatedly without returning, leading to excessive CPU usage.

Impact Analysis

This vulnerability can cause application-level denial of service by exhausting CPU resources or causing permanent request or job hangs. Services that store externally derived numeric values in an AtomicReference may experience CPU exhaustion or become unresponsive due to the infinite retry loop triggered by Float::NAN values.

Detection Guidance

This vulnerability can be detected by identifying if your application uses the concurrent-ruby gem version prior to 1.3.7 and if it stores externally derived numeric values in AtomicReference objects.

Specifically, detection involves checking whether AtomicReference#update is called on values that might be Float::NAN, which causes the update method to enter a permanent busy retry loop, leading to high CPU usage or application hangs.

To detect this behavior, monitor your system for unusually high CPU consumption or permanent request/job hangs in Ruby applications using concurrent-ruby.

While no specific commands are provided in the resources, you can use Ruby debugging or logging to trace calls to AtomicReference#update and check if the stored value is Float::NAN.

  • Check the version of concurrent-ruby gem: `gem list concurrent-ruby` or inspect your Gemfile.lock.
  • Use Ruby code to detect if AtomicReference contains Float::NAN, for example by adding logging around update calls.
  • Monitor system CPU usage with tools like `top` or `htop` to identify processes with high CPU consumption potentially caused by this issue.
Mitigation Strategies

The immediate and recommended mitigation is to upgrade the concurrent-ruby gem to version 1.3.7 or later, where this issue has been fixed.

Until the upgrade can be applied, avoid storing Float::NAN values in AtomicReference objects to prevent the busy retry loop from occurring.

Additionally, monitor your application for symptoms such as high CPU usage or request/job hangs that may indicate the vulnerability is being triggered.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54904. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart