UBUNTU-CVE-2026-54905

Source
https://ubuntu.com/security/CVE-2026-54905
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-54905.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-54905
Upstream
Published
2026-06-24T17:17:00Z
Modified
2026-06-29T13:55:06.109746394Z
Severity
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITELOCKHELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. trywritelock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.

References

Affected packages

Ubuntu:16.04:LTS
ruby-concurrent

Package

Name
ruby-concurrent
Purl
pkg:deb/ubuntu/ruby-concurrent?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.0.0-1",
            "binary_name": "ruby-concurrent"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-54905.json"
Ubuntu:18.04:LTS
ruby-concurrent

Package

Name
ruby-concurrent
Purl
pkg:deb/ubuntu/ruby-concurrent?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.5-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.0.5-1",
            "binary_name": "ruby-concurrent"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-54905.json"
Ubuntu:20.04:LTS
ruby-concurrent

Package

Name
ruby-concurrent
Purl
pkg:deb/ubuntu/ruby-concurrent?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.5-3
1.0.5-4
1.1.6+dfsg-2
1.1.6+dfsg-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.1.6+dfsg-3",
            "binary_name": "ruby-concurrent"
        },
        {
            "binary_version": "1.1.6+dfsg-3",
            "binary_name": "ruby-concurrent-ext"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-54905.json"
Ubuntu:22.04:LTS
ruby-concurrent

Package

Name
ruby-concurrent
Purl
pkg:deb/ubuntu/ruby-concurrent?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.1.6+dfsg-3
1.1.6+dfsg-3build1
1.1.6+dfsg-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.1.6+dfsg-4",
            "binary_name": "ruby-concurrent"
        },
        {
            "binary_version": "1.1.6+dfsg-4",
            "binary_name": "ruby-concurrent-ext"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-54905.json"
Ubuntu:24.04:LTS
ruby-concurrent

Package

Name
ruby-concurrent
Purl
pkg:deb/ubuntu/ruby-concurrent?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.1.6+dfsg-5build2
1.1.6+dfsg-5build3
1.2.3-2build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.2.3-2build1",
            "binary_name": "ruby-concurrent"
        },
        {
            "binary_version": "1.2.3-2build1",
            "binary_name": "ruby-concurrent-ext"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-54905.json"
Ubuntu:25.10
ruby-concurrent

Package

Name
ruby-concurrent
Purl
pkg:deb/ubuntu/ruby-concurrent?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.3.4-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.3.4-1",
            "binary_name": "ruby-concurrent"
        },
        {
            "binary_version": "1.3.4-1",
            "binary_name": "ruby-concurrent-ext"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-54905.json"
Ubuntu:26.04:LTS
ruby-concurrent

Package

Name
ruby-concurrent
Purl
pkg:deb/ubuntu/ruby-concurrent?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.3.4-1
1.3.6-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.3.6-1",
            "binary_name": "ruby-concurrent"
        },
        {
            "binary_version": "1.3.6-1",
            "binary_name": "ruby-concurrent-ext"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-54905.json"