Update dependency concurrent-ruby to v1.3.7 [SECURITY]#2936
Open
renovate[bot] wants to merge 1 commit into
Open
Update dependency concurrent-ruby to v1.3.7 [SECURITY]#2936renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
Author
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
'1.3.5'→'1.3.7'Concurrent Ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption
CVE-2026-54906 / GHSA-6wx8-w4f5-wwcr
More information
Details
Summary
Concurrent::ReadWriteLock#release_write_lockdoes not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running.Concurrent::ReadWriteLock#release_read_lockalso decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from0to-1, after which normal read acquisition raisesConcurrent::ResourceLimitError.This is a synchronization correctness issue in the public
Concurrent::ReadWriteLockAPI. It should not be framed as an authorization bypass; the lock is an in-process concurrency primitive, not an access-control boundary.Version
Software: concurrent-ruby
Version: 1.3.6
Commit: 7a1b78941c081106c20a9ca0144ac73a48d254ab
Details
release_write_lockchecks only whether the global counter indicates that a writer is running. It does not track or verify ownership:Because ownership is not checked, a different thread can clear the
RUNNING_WRITERbit while the original writer is still inside its critical section. Another writer can then acquire the write lock and run concurrently with the first writer.release_read_lockunconditionally decrements the shared counter:On a fresh lock, this changes the counter from
0to-1. A lateracquire_read_lockraisesConcurrent::ResourceLimitErrorbecause the maximum-reader check masks the negative counter as saturated.Reproduce
From the root of a
concurrent-rubycheckout, run:Expected result:
release_write_lockwhile the first writer still holds the lock.release_read_lockon a fresh lock changes the counter to-1.Concurrent::ResourceLimitError.Log evidence
Local reproduction output:
Impact
This can break the write-lock mutual exclusion guarantee and can also leave a lock unusable after a stray read release.
The impact is local to applications that expose or misuse the manual
acquire_*/release_*APIs. If the lock protects integrity-sensitive mutable state, wrong-thread write release can allow concurrent writers and data races. The stray read-release path can cause denial of service by corrupting the lock counter.Credit
Pranjali Thakur - depthfirst (depthfirst.com)
Severity
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Concurrent Ruby :
AtomicReference#updatelivelocks when the stored value isFloat::NANCVE-2026-54904 / GHSA-h8w8-99g7-qmvj
More information
Details
Summary
Concurrent::AtomicReference#updatecan enter a permanent busy retry loop when the current value isFloat::NAN.The issue is caused by the interaction between:
AtomicReference#update, which retries untilcompare_and_set(old_value, new_value)succeeds.compare_and_set, which checksold == old_valuebefore attempting the underlying atomic swap.Float::NAN == Float::NANis alwaysfalse.As a result, once an
AtomicReferencecontainsFloat::NAN, calling#updaterepeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in anAtomicReference, this can cause CPU exhaustion or permanent request/job hangs.Version
Software: concurrent-ruby
Version: 1.3.6
Commit: 7a1b78941c081106c20a9ca0144ac73a48d254ab
Details
AtomicReference#updateretries untilcompare_and_setreturns true:For numeric expected values,
compare_and_setuses numeric equality before attempting the underlying atomic compare-and-set:When the stored value is
Float::NAN,old_value = getreturns NaN. The later comparisonold == old_valueis false because NaN is not equal to itself.compare_and_settherefore returns false every time.AtomicReference#updatetreats that as a failed concurrent update and retries forever.This is reachable through the public
Concurrent::AtomicReferenceAPI and does not require native extensions or undefined behavior.PoC
Log evidence
Impact
This is an application-level denial of service issue. If an application stores externally derived numeric data in a
Concurrent::AtomicReference, an attacker or faulty upstream data source may be able to cause the stored value to becomeFloat::NAN. Any later call toAtomicReference#updateon that reference will spin indefinitely, repeatedly executing the update block and consuming CPU.Credit
Pranjali Thakur - depthfirst (depthfirst.com)
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Concurrent Ruby:
ReentrantReadWriteLockread-count overflow grants a write lock without exclusivityCVE-2026-54905 / GHSA-wv3x-4vxv-whpp
More information
Details
Summary
Concurrent::ReentrantReadWriteLockcan incorrectly grant a write lock after one thread acquires the read lock 32,768 times.The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as
WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit.try_write_lockthen treats the thread as already holding a write lock and returnstruewithout setting the globalRUNNING_WRITERbit.This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time.
Version
Software: concurrent-ruby
Version: 1.3.6
Commit: 7a1b78941c081106c20a9ca0144ac73a48d254ab
Details
The implementation uses a shared counter to track global readers/writers and a per-thread local counter to support reentrancy:
When a thread already holds a lock,
acquire_read_lockincrements@HeldCount:After 32,768 read acquisitions, the per-thread held count becomes
32768, which is equal toWRITE_LOCK_HELD. Thentry_write_lockreturns success through its "already have a write lock" branch:This branch does not set the global
RUNNING_WRITERbit. Other threads therefore do not observe an active writer and can continue holding or acquiring read locks while the caller believes it owns the write lock.PoC
Log evidence
Impact
This breaks the write-lock exclusivity guarantee. After the overflow, a thread can be told it has acquired the write lock while other threads can still hold or acquire read locks, allowing races and inconsistent reads of protected mutable state.
Credit
Pranjali Thakur - depthfirst (depthfirst.com)
Severity
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.