Skip to content

CVE-2026-54906 (Medium) detected in concurrent-ruby-1.3.5.gem #290

Description

@mend-bolt-for-github

CVE-2026-54906 - Medium Severity Vulnerability

Vulnerable Library - concurrent-ruby-1.3.5.gem

Modern concurrency tools including agents, futures, promises, thread pools, actors, supervisors, and more. Inspired by Erlang, Clojure, Go, JavaScript, actors, and classic concurrency patterns.

Library home page: https://rubygems.org/gems/concurrent-ruby-1.3.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/cache/concurrent-ruby-1.3.5.gem

Dependency Hierarchy:

  • manageiq-style-1.3.3.gem (Root Library)
    • more_core_extensions-4.5.1.gem
      • activesupport-8.0.2.gem
        • concurrent-ruby-1.3.5.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.

Publish Date: 2026-06-24

URL: CVE-2026-54906

CVSS 3 Score Details (4.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-19

Fix Resolution: https://github.com/ruby-concurrency/concurrent-ruby.git - v1.3.7


Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions