Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
Published: 2026-06-24
Score: 2 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Before version 1.3.7, the concurrent-ruby library’s ReentrantReadWriteLock can overflow its internal read counter. After a thread acquires a read lock 32,768 times, the low‑15‑bit read counter overlaps the bit that flags a write lock. Subsequent attempts to obtain a write lock succeed because the function mistakenly interprets the overflowed counter as the thread already holding a write lock, yet it does not set the global RUNNING_WRITER flag. The caller is therefore granted what appears to be exclusive write access while other threads may continue to hold or acquire read locks, violating the core mutual‑exclusion guarantee and creating a race condition that can corrupt shared data.

Affected Systems

Systems using ruby-concurrency:concurrent-ruby with any version older than 1.3.7 are affected. The vulnerability is fixed starting with version 1.3.7 and later.

Risk and Exploitability

The CVSS score of 2 indicates low severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. An attacker would need the ability to repeatedly acquire the read lock 32,768 times within the same process, a scenario that typically requires either a flaw in application logic or the ability to execute code inside the target process. Consequently, exploitation probability is low and confined to local or application‑level contexts, with the primary impact being potential data corruption rather than remote code execution or denial of service.

Generated by OpenCVE AI on June 24, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Concurrent::ReentrantReadWriteLock version 1.3.7 or later
  • Replace any vulnerable concurrent-ruby library references in the application with a fixed version
  • Review and refactor lock acquisition logic to avoid excessive re‑entrant read locking

Generated by OpenCVE AI on June 24, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wv3x-4vxv-whpp Concurrent Ruby: `ReentrantReadWriteLock` read-count overflow grants a write lock without exclusivity
History

Wed, 24 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
Title concurrent-ruby: `ReentrantReadWriteLock` read-count overflow grants a write lock without exclusivity
Weaknesses CWE-128
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T16:41:34.224Z

Reserved: 2026-06-16T13:49:33.556Z

Link: CVE-2026-54905

cve-icon Vulnrichment

Updated: 2026-06-24T16:39:54.356Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:00:17Z

Weaknesses