Vulnerability Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rubyconcurrency | Concurrent Ruby | < 1.3.7 |
Related Weaknesses (CWE)
References
- https://github.com/ruby-concurrency/concurrent-ruby/security/advisories/GHSA-h8wExploitThird Party Advisory
- https://github.com/ruby-concurrency/concurrent-ruby/security/advisories/GHSA-h8wExploitThird Party Advisory
FAQ
What is CVE-2026-54904?
CVE-2026-54904 is a vulnerability with a CVSS score of 7.5 (HIGH). concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caus...
How severe is CVE-2026-54904?
CVE-2026-54904 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-54904?
Check the references section above for vendor advisories and patch information. Affected products include: Rubyconcurrency Concurrent Ruby.