CVE-2026-54904: 
Ruby 脆弱性の分析と軽減

CVE-2026-54904 is a livelock (infinite loop) vulnerability in the concurrent-ruby gem affecting Concurrent::AtomicReference#update when the stored value is Float::NAN. Discovered by Pranjali Thakur (depthfirst.com) and published on June 16, 2026, it affects all versions of concurrent-ruby prior to 1.3.7. The vulnerability has a CVSS v4 base score of 8.2 (High) (GitHub Advisory).

The root cause is classified as CWE-835 (Loop with Unreachable Exit Condition / Infinite Loop), arising from the interaction between three behaviors: AtomicReference#update retries until compare_and_set returns true; the numeric path in compare_and_set checks old == old_value before attempting the underlying atomic swap; and Ruby's IEEE 754 NaN semantics, where Float::NAN == Float::NAN always evaluates to false. Once an AtomicReference holds Float::NAN, every call to #update retrieves NaN as old_value, the equality check permanently fails, compare_and_set returns false on every iteration, and the retry loop never terminates. The vulnerability is reachable entirely through the public Concurrent::AtomicReference API without native extensions or undefined behavior, and a public proof-of-concept is included in the advisory (GitHub Advisory, Repo Advisory).

Successful exploitation causes an application-level denial of service: the affected thread spins indefinitely, consuming CPU at maximum rate (the PoC demonstrated ~1.9 million block evaluations in 250 ms) and never completing the requested update. In web services or background job processors that store externally derived numeric values in an AtomicReference, this results in permanent request hangs or job stalls, degrading or completely blocking service availability. There is no confidentiality or integrity impact; the vulnerability is limited to availability of the vulnerable system (GitHub Advisory).

1. Identify a target application: Find a Ruby application using concurrent-ruby < 1.3.7 that stores externally supplied numeric values (e.g., sensor readings, API responses, financial data) in a Concurrent::AtomicReference.
2. Inject a NaN value: Supply or manipulate an upstream data source so that the value Float::NAN (IEEE 754 Not-a-Number) is written into the target AtomicReference — for example, by sending a JSON payload with null or a non-numeric string that the application converts to NaN, or by exploiting a division-by-zero in upstream processing.
3. Trigger #update: Cause the application to call AtomicReference#update on the poisoned reference — this may happen automatically as part of normal request processing, a background job, or a scheduled task.
4. Observe livelock: The calling thread enters a permanent busy-retry loop, executing the update block millions of times per second without ever returning, consuming 100% of one CPU core and causing the associated request or job to hang indefinitely (GitHub Advisory, Repo Advisory).

• Process: Ruby worker process(es) showing sustained 100% CPU utilization on a single core with no corresponding throughput; threads stuck in AtomicReference#update visible via Thread.list or a Ruby profiler.
• Logs: Requests or background jobs that never complete or time out without an explicit error; absence of normal completion log entries for jobs that use AtomicReference.
• Application Metrics: Sudden spike in CPU usage correlated with ingestion of externally derived numeric data; job queue depth growing without jobs completing.
• Runtime Inspection: Using a Ruby debugger or kill -QUIT (SIGQUIT) thread dump, observing threads permanently looping inside concurrent-ruby's compare_and_set / update methods (GitHub Advisory).

Upgrade concurrent-ruby to version 1.3.7 or later, which contains the fix for this livelock condition. If an immediate upgrade is not possible, applications should validate or sanitize externally derived numeric values before storing them in an AtomicReference, explicitly rejecting or replacing Float::NAN values (e.g., using value.nan? ? 0.0 : value for Float inputs). Monitoring for unexpected CPU spikes in Ruby worker processes can help detect exploitation attempts in the interim (GitHub Advisory, Repo Advisory).