CVE-2026-54905

Source
https://cve.org/CVERecord?id=CVE-2026-54905
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-54905.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-54905
Aliases
Downstream
Related
Published
2026-06-24T15:42:44.257Z
Modified
2026-06-28T04:04:20.656291352Z
Severity
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
concurrent-ruby: `ReentrantReadWriteLock` read-count overflow grants a write lock without exclusivity
Details

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITELOCKHELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. trywritelock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.

Database specific
{
    "cwe_ids": [
        "CWE-128"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54905.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/ruby-concurrency/concurrent-ruby

Affected ranges

Type
GIT
Repo
https://github.com/ruby-concurrency/concurrent-ruby
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.3.7"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "1.3.7"
        }
    ],
    "cpe": "cpe:2.3:a:rubyconcurrency:concurrent_ruby:*:*:*:*:*:ruby:*:*"
}

Affected versions

0.*
0.3.0.pre.1
1.*
1.0.0.pre2
1.0.0.pre3
edge-v0.*
edge-v0.2.3
edge-v0.3.0
edge-v0.3.1
edge-v0.4.0
edge-v0.4.0.pre1
edge-v0.4.0.pre2
edge-v0.4.1
edge-v0.5.0
edge-v0.6.0
edge-v0.6.0.pre1
edge-v0.7.0
edge-v0.7.1
edge-v0.7.2
v0.*
v0.0.1
v0.0.2
v0.1.0
v0.1.1.pre.2
v0.1.1.pre.4
v0.1.1.pre.5
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.0.pre.2
v0.3.0.pre.3
v0.3.1
v0.3.1.pre.1
v0.3.1.pre.2
v0.3.2
v0.4.0
v0.6.0
v0.6.0.pre.1
v0.6.0.pre.2
v0.6.1
v0.7.0
v0.7.0.1
v0.7.0.rc1
v0.7.0.rc2
v0.7.0.rc3
v0.7.2
v0.8.0
v0.9.0
v0.9.0.pre1
v0.9.0.pre2
v0.9.0.pre3
v0.9.1
v1.*
v1.0.0
v1.0.0.pre1
v1.0.0.pre4
v1.0.0.pre5
v1.0.1
v1.0.2
v1.0.3
v1.0.3.pre1
v1.0.3.pre2
v1.0.3.pre3
v1.0.4
v1.0.5
v1.1.0
v1.1.0.pre1
v1.1.0.pre2
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.6.pre1
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.1
v1.3.1.pre
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-54905.json"