CVE-2026-54905
CVE-2026-54905 is a medium-severity vulnerability in Rubyconcurrency Concurrent Ruby with a CVSS 3.x base score of 5.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-128.
Key facts
- Severity: Medium (CVSS 3.x base score 5.5)
- CVSS v4: 2.0
- EPSS exploit prediction: 0% (1st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-39000
- Weakness: CWE-128
- Affected product: Rubyconcurrency Concurrent Ruby
- Published:
- Last modified:
Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
Frequently asked questions
- What is CVE-2026-54905?
- concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
- How severe is CVE-2026-54905?
- CVE-2026-54905 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-54905 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (1st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-54905?
- CVE-2026-54905 affects Rubyconcurrency Concurrent Ruby. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-54905?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-54905 have an EU (EUVD) identifier?
- Yes. CVE-2026-54905 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-39000.
- When was CVE-2026-54905 published?
- CVE-2026-54905 was published on 2026-06-24 and last updated on 2026-06-26.
References
Affected products (1)
- cpe:2.3:a:rubyconcurrency:concurrent_ruby:*:*:*:*:*:ruby:*:*
More vulnerabilities in Rubyconcurrency Concurrent Ruby
- CVE-2026-54906 — Critical (CVSS 9.8): concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock…
- CVE-2026-54904 — High (CVSS 7.5): concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a…