CVE-2026-54906 - Medium Severity Vulnerability
Vulnerable Library - concurrent-ruby-1.3.5.gem
Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more.
Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.
Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /vendor/cache/concurrent-ruby-1.3.5.gem
Dependency Hierarchy:
- manageiq-style-1.3.3.gem (Root Library)
- more_core_extensions-4.5.1.gem
- activesupport-8.0.2.gem
- ❌ concurrent-ruby-1.3.5.gem (Vulnerable Library)
Found in base branch: master
Vulnerability Details
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.
Publish Date: 2026-06-24
URL: CVE-2026-54906
CVSS 3 Score Details (4.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-19
Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
Step up your Open Source Security Game with Mend here
CVE-2026-54906 - Medium Severity Vulnerability
Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.
Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /vendor/cache/concurrent-ruby-1.3.5.gem
Dependency Hierarchy:
Found in base branch: master
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.
Publish Date: 2026-06-24
URL: CVE-2026-54906
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-19
Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7
Step up your Open Source Security Game with Mend here