Impact
The concurrent-ruby gem contains a bug in its ReadWriteLock implementation. The release_write_lock method does not confirm that the calling thread holds the lock, allowing a thread to release another thread's lock. The release_read_lock method can decrement the shared counter even when no lock is held, potentially turning it negative and causing errors. The effect is a synchronization correctness problem that can lead to concurrent writes or unexpected exceptions, affecting data integrity and application reliability.
Affected Systems
This issue affects the ruby-concurrency concurrent-ruby library. Versions before 1.3.7 are vulnerable; versions 1.3.7 and newer contain the fix. The gem is commonly used in Ruby applications that require concurrent data structures.
Risk and Exploitability
The CVSS score of 2.1 indicates low severity. The EPSS score is 0.00086, indicating a very low exploitation probability (<1%). The vulnerability is not listed in CISA KEV. The likely attack vector is limited to threads within the same process; an attacker would need to influence the application code. No remote code execution or privilege escalation is known. The risk remains low unless the affected code is exposed to malicious input that can manipulate lock usage.
OpenCVE Enrichment
Github GHSA