CVE-2026-54906

Source
https://cve.org/CVERecord?id=CVE-2026-54906
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54906.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54906
Aliases
Downstream
Related
Published
2026-06-24T15:46:01.116Z
Modified
2026-07-08T08:13:45.391010667Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
concurrent-ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption
Details

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#releasewritelock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#releasereadlock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54906.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-414",
        "CWE-667"
    ]
}
References

Affected packages

Git / github.com/ruby-concurrency/concurrent-ruby

Affected ranges

Type
GIT
Repo
https://github.com/ruby-concurrency/concurrent-ruby
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:rubyconcurrency:concurrent_ruby:*:*:*:*:*:ruby:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.3.7"
        }
    ]
}

Affected versions

0.*
0.3.0.pre.1
1.*
1.0.0.pre2
1.0.0.pre3
edge-v0.*
edge-v0.2.3
edge-v0.3.0
edge-v0.3.1
edge-v0.4.0
edge-v0.4.0.pre1
edge-v0.4.0.pre2
edge-v0.4.1
edge-v0.5.0
edge-v0.6.0
edge-v0.6.0.pre1
edge-v0.7.0
edge-v0.7.1
edge-v0.7.2
v0.*
v0.0.1
v0.0.2
v0.1.0
v0.1.1.pre.2
v0.1.1.pre.4
v0.1.1.pre.5
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.0.pre.2
v0.3.0.pre.3
v0.3.1
v0.3.1.pre.1
v0.3.1.pre.2
v0.3.2
v0.4.0
v0.6.0
v0.6.0.pre.1
v0.6.0.pre.2
v0.6.1
v0.7.0
v0.7.0.1
v0.7.0.rc1
v0.7.0.rc2
v0.7.0.rc3
v0.7.2
v0.8.0
v0.9.0
v0.9.0.pre1
v0.9.0.pre2
v0.9.0.pre3
v0.9.1
v1.*
v1.0.0
v1.0.0.pre1
v1.0.0.pre4
v1.0.0.pre5
v1.0.1
v1.0.2
v1.0.3
v1.0.3.pre1
v1.0.3.pre2
v1.0.3.pre3
v1.0.4
v1.0.5
v1.1.0
v1.1.0.pre1
v1.1.0.pre2
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.6.pre1
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.1
v1.3.1.pre
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54906.json"