Impact
Before version 1.3.7, the concurrent-ruby library’s ReentrantReadWriteLock can overflow its internal read counter. After a thread acquires a read times, the low-15-bit read counter overlaps the bit that flags a write lock. Subsequent attempts to obtain a write lock succeed because the function mistakenly interprets the overflowed counter as the thread already holding a write lock, yet it does not set the global RUNNING_WRITER flag. The caller is therefore granted what appears to be exclusive write access while other threads may continue to hold or acquire read locks, violating the core mutual-exclusion guarantee and creating a race condition that can corrupt shared data. This overflow condition represents an Integer Overflow (CWE-190) and internal lock counter corruption (CWE-128).
Affected Systems
Systems using ruby-concurrency:concurrent-ruby with any version older than 1.3.7 are affected. The vulnerability is fixed starting with version 1.3.7 and later.
Risk and Exploitability
The CVSS score of 2 indicates low severity. The EPSS score of 0.00105, which corresponds to less than 1%, indicates a very low but non-zero exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. An attacker would need the ability to repeatedly acquire the read lock 32768 times within the same process, a scenario that typically requires either a flaw in application logic or the ability to execute code inside the target process. Consequently, exploitation probability is low and confined to local or application-level contexts, with the primary impact being potential data corruption rather than remote code execution or. This is an integer overflow flaw (CWE-190) in the lock implementation.
OpenCVE Enrichment
Github GHSA