EXECUTIVE SUMMARY:
CVE-2026-54904 with a CVSS score of 8.2 is a denial‑of‑service vulnerability in the Ruby gem concurrent‑ruby, affecting all releases prior to 1.3.7. The flaw resides in Concurrent::AtomicReference#update, which loops until a compare_and_set operation succeeds; when the stored value is Float::NAN, the numeric equality check always fails because NaN is not equal to itself, causing the loop to retry indefinitely and repeatedly execute the supplied block. An attacker who can inject or cause a NaN value to be placed in an AtomicReference—either through malicious input, a compromised upstream data source, or by exploiting a logic error that converts external data to Float::NAN—can trigger the livelock by invoking any public update call on that reference. No special privileges or native extensions are required; merely invoking the method in a normal Ruby thread is sufficient. The attacker gains the ability to exhaust CPU resources and hang the affected thread or process, leading to service unavailability, increased latency, or complete application outage. Exploitation requires that the application stores numeric data in an AtomicReference and that the value can become NaN, either intentionally or inadvertently.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-54904 with a CVSS score of 8.2 is a denial‑of‑service vulnerability in the Ruby gem concurrent‑ruby, affecting all releases prior to 1.3.7. The flaw resides in Concurrent::AtomicReference#update, which loops until a compare_and_set operation succeeds; when the stored value is Float::NAN, the numeric equality check always fails because NaN is not equal to itself, causing the loop to retry indefinitely and repeatedly execute the supplied block. An attacker who can inject or cause a NaN value to be placed in an AtomicReference—either through malicious input, a compromised upstream data source, or by exploiting a logic error that converts external data to Float::NAN—can trigger the livelock by invoking any public update call on that reference. No special privileges or native extensions are required; merely invoking the method in a normal Ruby thread is sufficient. The attacker gains the ability to exhaust CPU resources and hang the affected thread or process, leading to service unavailability, increased latency, or complete application outage. Exploitation requires that the application stores numeric data in an AtomicReference and that the value can become NaN, either intentionally or inadvertently.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-h8w8-99g7-qmvj