Description
bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt() password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the cost to 31 to see this happen. The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes the key-strengthening round count as a signed 32-bit integer. When `cost=31` (the maximum allowed by the gem), signed integer overflow causes the round count to become negative, and the strengthening loop executes **zero iterations**. This collapses bcrypt from 2^31 rounds of exponential key-strengthening to effectively constant-time computation — only the initial EksBlowfish key setup and final 64x encryption phase remain. The resulting hash looks valid (`$2a$31$...`) and verifies correctly via `checkpw`, making the weakness invisible to the application. This issue is triggered only when cost=31 is used or when verifying a `$2a$31$` hash. This problem has been fixed in version 3.1.22. As a workaround, set the cost to something less than 31.
Published: 2026-03-24
Score: 4.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Weakened password hash strength due to zero key‑strengthening iterations when cost is set to 31 in JRuby
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an integer overflow in the Java BCrypt implementation within the bcrypt‑ruby gem for JRuby. When the cost parameter, which determines the number of key‑strengthening rounds, is set to its maximum value of 31, the signed 32‑bit calculation overflows and the resulting round count becomes negative. The strengthening loop therefore executes zero iterations, collapsing the intended 2^31 rounds into a single, constant‑time computation. As the resulting hash still appears valid and passes verification, the weakness is invisible to the application.

Affected Systems

Affected systems are applications that employ the bcrypt‑ruby library prior to release 3.1.22 and configure the cost to 31 or later validate password hashes that begin with \"$2a$31$\". The vendor noted that the issue applies only to JRuby's implementation; native Ruby implementations are unaffected. Any deployment using older gem versions with cost=31 will generate weak hashes.

Risk and Exploitability

The CVSS score of 4.5 indicates moderate severity, and the EPSS score of under 1% suggests a low probability of exploitation at this time. The weakness is not listed in the CISA KEV catalog, and no active exploit is known. However, because the flaw allows attackers who can obtain the hash to compute it quickly, the risk escalates for systems that use high cost values and store password hashes locally. The likely vector is offline password cracking, inferred from the nature of the vulnerability; no network exposure is required beyond acquiring the hash.

Generated by OpenCVE AI on March 30, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade bcrypt-ruby to version 3.1.22 or newer.
  • If upgrading is not possible, configure the cost parameter to a value lower than 31.
  • Review existing password hashes; rehash any that use the $2a$31$ prefix if feasible.
  • Ensure the application uses the vetted Ruby implementation rather than JRuby when possible.
  • Verify that the system is not exposing password hashes externally; limit access to stored credentials.

Generated by OpenCVE AI on March 30, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f27w-vcwj-c954 bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby
History

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Bcrypt-ruby Project
Bcrypt-ruby Project bcrypt-ruby
CPEs cpe:2.3:a:bcrypt-ruby_project:bcrypt-ruby:*:*:*:*:*:ruby:*:*
Vendors & Products Bcrypt-ruby Project
Bcrypt-ruby Project bcrypt-ruby
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Bcrypt-ruby
Bcrypt-ruby bcrypt-ruby
Vendors & Products Bcrypt-ruby
Bcrypt-ruby bcrypt-ruby

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt() password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the cost to 31 to see this happen. The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes the key-strengthening round count as a signed 32-bit integer. When `cost=31` (the maximum allowed by the gem), signed integer overflow causes the round count to become negative, and the strengthening loop executes **zero iterations**. This collapses bcrypt from 2^31 rounds of exponential key-strengthening to effectively constant-time computation — only the initial EksBlowfish key setup and final 64x encryption phase remain. The resulting hash looks valid (`$2a$31$...`) and verifies correctly via `checkpw`, making the weakness invisible to the application. This issue is triggered only when cost=31 is used or when verifying a `$2a$31$` hash. This problem has been fixed in version 3.1.22. As a workaround, set the cost to something less than 31.
Title bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 4.5, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Bcrypt-ruby Bcrypt-ruby
Bcrypt-ruby Project Bcrypt-ruby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:39:03.590Z

Reserved: 2026-03-18T21:23:36.675Z

Link: CVE-2026-33306

cve-icon Vulnrichment

Updated: 2026-03-24T15:38:54.236Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T01:17:02.037

Modified: 2026-03-30T14:07:23.300

Link: CVE-2026-33306

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T00:08:00Z

Links: CVE-2026-33306 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:11Z

Weaknesses