CVE-2026-54905
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
In concurrent-ruby up to version 1.3.6, a vulnerability allows incorrect granting of a write lock after one thread acquires the read lock 32,768 times. The lock stores thread-local read and write hold counts in one integer, where the low 15 bits are for read count and bit 15 is for WRITE_LOCK_HELD. After exceeding this threshold, the read count overflows into the write-lock bit, causing try_write_lock to incorrectly return true without setting the global RUNNING_WRITER bit.
Risk Assessment
This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks simultaneously, leading to race conditions and data corruption.
Recommendation
Update concurrent-ruby to version 1.3.7 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.

