CVE-2026-54905
Received Received - Intake
Concurrent Ruby ReentrantReadWriteLock Write Lock Bypass

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-54905
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concurrent_ruby concurrent_ruby to 1.3.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-128 Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to a breakdown of the mutual-exclusion guarantees provided by the locking mechanism in concurrent-ruby. Specifically, it allows a thread to believe it holds a write lock while other threads may still hold or acquire read locks concurrently.

The impact is that critical sections of code that rely on exclusive write access may be executed concurrently by multiple threads, potentially causing data corruption, race conditions, or inconsistent program state.

Executive Summary

This vulnerability exists in concurrent-ruby versions prior to 1.3.7 in the Concurrent::ReentrantReadWriteLock component. The issue arises because the lock uses a single integer to store both read and write hold counts for a thread, with the low 15 bits for the read count and bit 15 for the write lock indicator.

When a thread acquires the read lock 32,768 times (which exceeds the 15-bit limit), the read count overflows into the write lock bit. As a result, the system mistakenly believes the thread already holds a write lock and allows it to proceed without setting the global write lock flag.

This breaks the mutual-exclusion guarantee because the thread is told it has a write lock while other threads can still hold or acquire read locks simultaneously, potentially leading to concurrent access issues.

Mitigation Strategies

To mitigate this vulnerability, upgrade the concurrent-ruby library to version 1.3.7 or later, where the issue is fixed.

Detection Guidance

This vulnerability affects the concurrent-ruby library versions prior to 1.3.7, specifically the ReentrantReadWriteLock class. Detection involves identifying if your system or application is using a vulnerable version of concurrent-ruby.

To detect the vulnerability, you can check the installed version of the concurrent-ruby gem in your Ruby environment.

  • Run the command: `gem list concurrent-ruby` to see the installed version.
  • Alternatively, check your application's Gemfile.lock for the concurrent-ruby version.

If the version is earlier than 1.3.7, your system is vulnerable.

There are no specific network detection commands since this is a library-level concurrency issue within Ruby applications.

Compliance Impact

The vulnerability in concurrent-ruby's ReentrantReadWriteLock can lead to race conditions and inconsistent reads of protected mutable state due to broken mutual-exclusion guarantees.

Such data integrity and concurrency issues could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require the protection and accurate handling of sensitive data.

However, the provided information does not explicitly describe the direct effects of this vulnerability on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54905. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart