CVE-2026-46727 - Vulnerability Details

- Race Condition in Ruby 4 getaddrinfo Leading to Use‑After‑Free and Process Crash

Description

An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) allows a remote attacker who can delay DNS responses near the user-specified timeout to crash a Ruby process that calls Addrinfo.getaddrinfo(..., timeout:) or Socket.tcp(..., resolv_timeout:). Memory-corruption-based exploitation is theoretically possible. The attack could, for example, be carried out through a crafted authoritative DNS server or recursive resolver.

Published: 2026-05-22

Score: 8.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A race condition in Ruby 4's getaddrinfo implementation can cause a use‑after‑free when the DNS response is delayed close to the user‑specified timeout. The resulting memory corruption can crash the Ruby process that calls Addrinfo.getaddrinfo with a timeout or Socket.tcp with a resolv_timeout. While the description only specifies a crash, the underlying use‑after‑free could theoretically be abused for arbitrary code execution if the attacker controls the allocator state, but no such exploitation has been confirmed.

Affected Systems

Ruby 4 is affected up to but not including version 4.0.5. All installations of Ruby 4 that perform DNS resolution with timeout handling are vulnerable, regardless of platform or distribution.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. Because the attack requires a delayed DNS response near the timeout, the likely vector is remote network traffic; a malicious authoritative or recursive resolver could trigger the flaw. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so no public exploit data is currently known. Nevertheless, the crash risk is real, and memory‑corruption exploitation is theoretically possible, especially on systems where Ruby processes run with elevated privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ruby-lang

Ruby

unaffected

Version	Status	Constraints
`4.0.0`	affected	< 4.0.5

No data.

Vendor Product Confidence Versions

Ruby-lang

Ruby

95%

Version	Status	Scheme	Platform
`[4.0.0,4.0.5)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Ruby to version 4.0.5 or later, which contains the fixed pthread‑based getaddrinfo timeout handler.
Rebuild or reinstall any Ruby extensions that compile native code to ensure they are linked against the updated interpreter.
Limit DNS lookups to trusted resolvers or adjust application code to avoid using timeout parameters that expose the race condition when an update is not immediately feasible.

Generated by OpenCVE AI on May 22, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://hackerone.com/reports/3607434
https://www.ruby-lang.org/en/news/2026/05/20/getaddrinfo-cve-2026-46727/

History

Fri, 22 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Title		Race Condition in Ruby 4 getaddrinfo Leading to Use‑After‑Free and Process Crash

Fri, 22 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 22 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) allows a remote attacker who can delay DNS responses near the user-specified timeout to crash a Ruby process that calls Addrinfo.getaddrinfo(..., timeout:) or Socket.tcp(..., resolv_timeout:). Memory-corruption-based exploitation is theoretically possible. The attack could, for example, be carried out through a crafted authoritative DNS server or recursive resolver.
First Time appeared		Ruby-lang Ruby-lang ruby
Weaknesses		CWE-362
CPEs		cpe:2.3:a:ruby-lang:ruby::::::::
Vendors & Products		Ruby-lang Ruby-lang ruby
References		https://hackerone.com/reports/3607434 https://www.ruby-lang.org/en/news/2026/05/20/getaddrinfo-cve-2026-46727/
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Ruby-lang Ruby

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-22T00:00:00.000Z

Updated: 2026-05-22T18:41:39.767Z

Reserved: 2026-05-16T00:00:00.000Z

Link: CVE-2026-46727

Vulnrichment

Updated: 2026-05-22T18:41:36.038Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T21:00:11Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object