CVE-2026-54905
Analyzed Analyzed - Analysis Complete

Concurrent Ruby ReentrantReadWriteLock Write Lock Bypass

Vulnerability report for CVE-2026-54905, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rubyconcurrency concurrent_ruby to 1.3.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-128 Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to a breakdown of the mutual-exclusion guarantees provided by the locking mechanism in concurrent-ruby. Specifically, it allows a thread to believe it holds a write lock while other threads may still hold or acquire read locks concurrently.

The impact is that critical sections of code that rely on exclusive write access may be executed concurrently by multiple threads, potentially causing data corruption, race conditions, or inconsistent program state.

Executive Summary

This vulnerability exists in concurrent-ruby versions prior to 1.3.7 in the Concurrent::ReentrantReadWriteLock component. The issue arises because the lock uses a single integer to store both read and write hold counts for a thread, with the low 15 bits for the read count and bit 15 for the write lock indicator.

When a thread acquires the read lock 32,768 times (which exceeds the 15-bit limit), the read count overflows into the write lock bit. As a result, the system mistakenly believes the thread already holds a write lock and allows it to proceed without setting the global write lock flag.

This breaks the mutual-exclusion guarantee because the thread is told it has a write lock while other threads can still hold or acquire read locks simultaneously, potentially leading to concurrent access issues.

Mitigation Strategies

To mitigate this vulnerability, upgrade the concurrent-ruby library to version 1.3.7 or later, where the issue is fixed.

Compliance Impact

The vulnerability in concurrent-ruby's ReentrantReadWriteLock can lead to race conditions and inconsistent reads of protected mutable state due to broken mutual-exclusion guarantees.

Such data integrity and concurrency issues could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require the protection and accurate handling of sensitive data.

However, the provided information does not explicitly describe the direct effects of this vulnerability on compliance with these standards.

Detection Guidance

This vulnerability affects the concurrent-ruby library versions prior to 1.3.7, specifically the ReentrantReadWriteLock class. Detection involves identifying if your system or application is using a vulnerable version of concurrent-ruby.

To detect the vulnerability, you can check the installed version of the concurrent-ruby gem in your Ruby environment.

  • Run the command: `gem list concurrent-ruby` to see the installed version.
  • Alternatively, check your application's Gemfile.lock for the concurrent-ruby version.

If the version is earlier than 1.3.7, your system is vulnerable.

There are no specific network detection commands since this is a library-level concurrency issue within Ruby applications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54905. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart