Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.
Published: 2026-06-24
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The concurrent-ruby gem contains a bug in its ReadWriteLock implementation. The release_write_lock method does not confirm that the calling thread holds the lock, allowing a thread to release another thread's lock. The release_read_lock method can decrement the shared counter even when no lock is held, potentially turning it negative and causing errors. The effect is a synchronization correctness problem that can lead to concurrent writes or unexpected exceptions, affecting data integrity and application reliability.

Affected Systems

This issue affects the ruby-concurrency concurrent-ruby library. Versions before 1.3.7 are vulnerable; versions 1.3.7 and newer contain the fix. The gem is commonly used in Ruby applications that require concurrent data structures.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The attack vector is limited to threads within the same process; an attacker would need ability to interact with the application or supply code that obtains and misuses the lock. No remote code execution or privilege escalation is known. The risk remains low unless the affected code is exposed to malicious input that can manipulate lock usage.

Generated by OpenCVE AI on June 24, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade concurrent-ruby to version 1.3.7 or later
  • Review code that manually releases locks and refactor to ensure only owning threads release locks; wrap lock operations in helpers that enforce ownership
  • Add defensive checks and error handling around lock operations, and monitor for negative counter conditions

Generated by OpenCVE AI on June 24, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6wx8-w4f5-wwcr Concurrent Ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption
History

Wed, 24 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.
Title concurrent-ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption
Weaknesses CWE-414
CWE-667
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T17:57:07.650Z

Reserved: 2026-06-16T13:49:33.556Z

Link: CVE-2026-54906

cve-icon Vulnrichment

Updated: 2026-06-24T17:57:02.851Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:30:16Z

Weaknesses