CVE-2026-54904

Source
https://cve.org/CVERecord?id=CVE-2026-54904
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54904.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54904
Aliases
Downstream
Related
Published
2026-06-24T15:44:21.992Z
Modified
2026-07-08T08:13:42.561920691Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
concurrent-ruby: `AtomicReference#update` livelocks when the stored value is `Float::NAN`
Details

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compareandset(oldvalue, newvalue) succeeds; Numeric compareandset, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54904.json",
    "cwe_ids": [
        "CWE-835"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/ruby-concurrency/concurrent-ruby

Affected ranges

Type
GIT
Repo
https://github.com/ruby-concurrency/concurrent-ruby
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:rubyconcurrency:concurrent_ruby:*:*:*:*:*:ruby:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.3.7"
        }
    ]
}

Affected versions

0.*
0.3.0.pre.1
1.*
1.0.0.pre2
1.0.0.pre3
edge-v0.*
edge-v0.2.3
edge-v0.3.0
edge-v0.3.1
edge-v0.4.0
edge-v0.4.0.pre1
edge-v0.4.0.pre2
edge-v0.4.1
edge-v0.5.0
edge-v0.6.0
edge-v0.6.0.pre1
edge-v0.7.0
edge-v0.7.1
edge-v0.7.2
v0.*
v0.0.1
v0.0.2
v0.1.0
v0.1.1.pre.2
v0.1.1.pre.4
v0.1.1.pre.5
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.0.pre.2
v0.3.0.pre.3
v0.3.1
v0.3.1.pre.1
v0.3.1.pre.2
v0.3.2
v0.4.0
v0.6.0
v0.6.0.pre.1
v0.6.0.pre.2
v0.6.1
v0.7.0
v0.7.0.1
v0.7.0.rc1
v0.7.0.rc2
v0.7.0.rc3
v0.7.2
v0.8.0
v0.9.0
v0.9.0.pre1
v0.9.0.pre2
v0.9.0.pre3
v0.9.1
v1.*
v1.0.0
v1.0.0.pre1
v1.0.0.pre4
v1.0.0.pre5
v1.0.1
v1.0.2
v1.0.3
v1.0.3.pre1
v1.0.3.pre2
v1.0.3.pre3
v1.0.4
v1.0.5
v1.1.0
v1.1.0.pre1
v1.1.0.pre2
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.6.pre1
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.1
v1.3.1.pre
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54904.json"