CVE-2026-54905 - Medium Severity Vulnerability
Vulnerable Library - concurrent-ruby-1.3.5.gem
Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more.
Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.
Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /vendor/cache/concurrent-ruby-1.3.5.gem
Dependency Hierarchy:
- manageiq-style-1.3.3.gem (Root Library)
- more_core_extensions-4.5.1.gem
- activesupport-8.0.2.gem
- ❌ concurrent-ruby-1.3.5.gem (Vulnerable Library)
Found in base branch: master
Vulnerability Details
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
Publish Date: 2026-06-24
URL: CVE-2026-54905
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-19
Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
Step up your Open Source Security Game with Mend here
CVE-2026-54905 - Medium Severity Vulnerability
Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.
Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /vendor/cache/concurrent-ruby-1.3.5.gem
Dependency Hierarchy:
Found in base branch: master
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
Publish Date: 2026-06-24
URL: CVE-2026-54905
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-19
Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
Step up your Open Source Security Game with Mend here