Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.
Severity (CVSS)
| Base score | 2.1 |
|---|---|
| Severity | Low |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-414 — CWE-414: Missing Lock Check
- CWE-667 — CWE-667: Improper Locking
Affected products
| Vendor | Product | Versions |
|---|---|---|
| ruby-concurrency | concurrent-ruby | < 1.3.7 |
References
Generated from the official CVE List on 25 Jun 2026 10:14 UTC.