Synchronization flaw in ReadWriteLock allows unauthorized lock release and denial of service
Summary
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7. A flaw was found in concurrent-ruby, a Ruby library for managing concurrent operations. The `Concurrent::ReadWriteLock` component contains a synchronization issue where write locks can be released by unauthorized threads. This could allow multiple threads to write concurrently, potentially leading to data corruption. Furthermore, an issue with read lock management can cause a denial of service (DoS) by preventing legitimate read operations. This is essentially a library misuse scenario. The attack requires local code execution in the same Ruby process AND use of the manual locking API (ReadWriteLock).
- < 1.3.7
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- The concurrent-ruby package ships `Concurrent::ReadWriteLock`, which contains a synchronization flaw allowing concurrent readers and writers under high-contention workloads. Updating to concurrent-ruby version 1.3.5 or later resolves this issue.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.