CVE Vulnerabilities

CVE-2026-54906

Missing Lock Check

Published: Jun 24, 2026 | Modified: Jun 26, 2026
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
3.6 LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.

Weakness

A product does not check to see if a lock is present before performing sensitive operations on a resource.

Affected Software

NameVendorStart VersionEnd Version
Concurrent_rubyRubyconcurrency*1.3.7 (excluding)
Ruby-concurrentUbuntuquesting*
Ruby-concurrentUbuntuupstream*

Potential Mitigations

References