Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.
Published: 2026-06-24
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The concurrent-ruby gem contains a bug in its ReadWriteLock implementation. The release_write_lock method does not confirm that the calling thread holds the lock, allowing a thread to release another thread's lock. The release_read_lock method can decrement the shared counter even when no lock is held, potentially turning it negative and causing errors. The effect is a synchronization correctness problem that can lead to concurrent writes or unexpected exceptions, affecting data integrity and application reliability.

Affected Systems

This issue affects the ruby-concurrency concurrent-ruby library. Versions before 1.3.7 are vulnerable; versions 1.3.7 and newer contain the fix. The gem is commonly used in Ruby applications that require concurrent data structures.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity. The EPSS score is 0.00086, indicating a very low exploitation probability (<1%). The vulnerability is not listed in CISA KEV. The likely attack vector is limited to threads within the same process; an attacker would need to influence the application code. No remote code execution or privilege escalation is known. The risk remains low unless the affected code is exposed to malicious input that can manipulate lock usage.

Generated by OpenCVE AI on June 26, 2026 at 04:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade concurrent-ruby to version 1.3.7 or later
  • Review code that manually releases locks and refactor to ensure only owning threads release locks; wrap lock operations in helpers that enforce ownership
  • Add defensive checks and error handling around lock operations, and monitor for negative counter conditions

Generated by OpenCVE AI on June 26, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6wx8-w4f5-wwcr Concurrent Ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L'}

threat_severity

Low


Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-concurrency
Ruby-concurrency concurrent-ruby
Vendors & Products Ruby-concurrency
Ruby-concurrency concurrent-ruby

Wed, 24 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.
Title concurrent-ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption
Weaknesses CWE-414
CWE-667
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Ruby-concurrency Concurrent-ruby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T17:57:07.650Z

Reserved: 2026-06-16T13:49:33.556Z

Link: CVE-2026-54906

cve-icon Vulnrichment

Updated: 2026-06-24T17:57:02.851Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T15:46:01Z

Links: CVE-2026-54906 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:15:11Z

Weaknesses