Wrap-around Error Affecting concurrent-ruby package, versions <1.3.7


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.11% (2nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-CONCURRENTRUBY-17391434
  • published21 Jun 2026
  • disclosed19 Jun 2026
  • creditPranjali Thakur

Introduced: 19 Jun 2026

NewCVE-2026-54905  (opens in a new tab)
CWE-128  (opens in a new tab)

How to fix?

Upgrade concurrent-ruby to version 1.3.7 or higher.

Overview

Affected versions of this package are vulnerable to Wrap-around Error in ReentrantReadWriteLock that causes incorrect write locks. An attacker can cause a thread to incorrectly obtain a write lock without exclusivity by repeatedly acquiring the read lock 32,768 times, which overflows the internal counter and bypasses the global writer state. This allows other threads to continue acquiring read locks concurrently, leading to data races and inconsistent reads of shared mutable state.

CVSS Base Scores

version 4.0
version 3.1