Skip to content

CVE-2026-54905 (Medium) detected in concurrent-ruby-1.3.5.gem #289

Description

@mend-bolt-for-github

CVE-2026-54905 - Medium Severity Vulnerability

Vulnerable Library - concurrent-ruby-1.3.5.gem

Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.

Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/cache/concurrent-ruby-1.3.5.gem

Dependency Hierarchy:

  • manageiq-style-1.3.3.gem (Root Library)
    • more_core_extensions-4.5.1.gem
      • activesupport-8.0.2.gem
        • concurrent-ruby-1.3.5.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.

Publish Date: 2026-06-24

URL: CVE-2026-54905

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-19

Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7


Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions