CVE-2026-54906
Received Received - Intake
Concurrent::ReadWriteLock Synchronization Flaw in concurrent-ruby

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-54906
EUVD
EUVD-2026-38811
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
concurrent_ruby concurrent_ruby to 1.3.7 (inc)
ruby-concurrency concurrent-ruby to 1.3.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
CWE-414 A product does not check to see if a lock is present before performing sensitive operations on a resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54906 affects the concurrent-ruby library versions before 1.3.7, specifically the Concurrent::ReadWriteLock class.

The vulnerability has two main issues: First, the release_write_lock method does not check if the thread releasing the write lock is the one that originally acquired it. This allows any thread to release a write lock held by another thread, potentially letting multiple writers enter critical sections at the same time, which breaks the intended mutual exclusion.

Second, the release_read_lock method decreases the shared counter even when no read lock is held. Calling this on a fresh lock changes the counter from 0 to -1, causing subsequent read lock acquisitions to fail with a Concurrent::ResourceLimitError.

Overall, this is a synchronization correctness issue in the public API of Concurrent::ReadWriteLock.

Impact Analysis

The vulnerability can lead to data races because multiple writers may enter critical sections simultaneously, breaking the mutual exclusion guarantees.

It can also cause denial of service due to the corrupted lock counter, which prevents normal read lock acquisition by raising a Concurrent::ResourceLimitError.

However, the impact is limited to applications that misuse the manual acquire/release APIs of the Concurrent::ReadWriteLock.

Detection Guidance

This vulnerability affects the concurrent-ruby library versions prior to 1.3.7, specifically in the Concurrent::ReadWriteLock class. Detection involves identifying if your system or application is using a vulnerable version of concurrent-ruby.

You can check the installed version of concurrent-ruby in your Ruby environment by running the following command:

  • gem list concurrent-ruby

If the version is below 1.3.7, your system is potentially vulnerable.

Additionally, since the vulnerability involves misuse of manual acquire/release APIs in Concurrent::ReadWriteLock, monitoring application logs for errors such as Concurrent::ResourceLimitError or unexpected behavior in concurrency control may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade the concurrent-ruby library to version 1.3.7 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, review your code to ensure that the manual acquire and release methods of Concurrent::ReadWriteLock are used correctly, avoiding releasing locks from threads that did not acquire them.

Monitoring for errors related to lock misuse, such as Concurrent::ResourceLimitError, can also help identify and mitigate issues caused by this vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54906. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart