Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
Published: 2026-06-24
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A permanent busy‑retry loop is triggered when Concurrent::AtomicReference#update attempts to update a reference that contains Float::NAN because NaN values never satisfy the equality check used by the compare_and_set operation. The result is continuous evaluation of the supplied block that never returns, consuming CPU resources or leaving requests or background jobs forever stuck. The vulnerability directly impacts the confidentiality, integrity, and availability of applications that rely on concurrent-ruby for thread‑safe numeric state, with the primary consequence being denial of service.

Affected Systems

The issue appears in the concurrent-ruby library before version 1.3.7, specifically in any Ruby application that uses AtomicReference to hold external numeric values. Affecting the ruby‑concurrency:concurrent-ruby product, all releases older than 1.3.7 are vulnerable. Any service that stores a Float::NAN in an AtomicReference—through user input, external data, or internal calculations—could experience the livelock.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity vulnerability. Although the EPSS score is not available and the flaw is not listed in the CISA KEV catalog, the attack is trivial to trigger by simply inserting a NaN value into an AtomicReference that is then updated. The exploit requires no special privileges and can be performed from the application layer, leading to service degradation or complete failure. The lack of a publicly disclosed exploit suggests that the danger lies primarily in the potential for unbounded CPU cycles rather than immediate remote code execution.

Generated by OpenCVE AI on June 24, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade concurrent‑ruby to version 1.3.7 or later, which contains the fix for AtomicReference#update.
  • Modify code to guard against storing or updating AtomicReference instances with Float::NAN values, for example by validating numeric input before assignment.
  • Implement monitoring for sustained high CPU usage or hung requests, and set up automated recovery (restart or timeout) for affected services.

Generated by OpenCVE AI on June 24, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h8w8-99g7-qmvj Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN`
History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-concurrency
Ruby-concurrency concurrent-ruby
Vendors & Products Ruby-concurrency
Ruby-concurrency concurrent-ruby

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
Title concurrent-ruby: `AtomicReference#update` livelocks when the stored value is `Float::NAN`
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ruby-concurrency Concurrent-ruby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T15:44:21.992Z

Reserved: 2026-06-16T13:49:33.556Z

Link: CVE-2026-54904

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:40:40Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')