Skip to main content

Ruby CVE-2026-46727

| EUVDEUVD-2026-31477 HIGH
Race Condition (CWE-362)
2026-05-22 mitre GHSA-jfc8-2xw7-c79m
High
Disputed · 8.1 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
3.1 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 18:15 vuln.today

DescriptionCVE.org

An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) allows a remote attacker who can delay DNS responses near the user-specified timeout to crash a Ruby process that calls Addrinfo.getaddrinfo(..., timeout:) or Socket.tcp(..., resolv_timeout:). Memory-corruption-based exploitation is theoretically possible. The attack could, for example, be carried out through a crafted authoritative DNS server or recursive resolver.

AnalysisAI

Use-after-free in Ruby 4.x (before 4.0.5) lets remote attackers who can manipulate DNS response timing crash applications calling Addrinfo.getaddrinfo with a timeout: option or Socket.tcp with resolv_timeout:. The flaw lives in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) and, while reliably exploitable for denial of service, also raises a theoretical possibility of memory-corruption-based code execution. No public exploit identified at time of analysis.

Technical ContextAI

The vulnerability is a CWE-362 race condition in Ruby's C-level networking layer. Ruby's socket extension wraps the libc getaddrinfo(3) resolver call in a pthread-backed worker so it can be cancelled when the user-supplied timeout: / resolv_timeout: expires. When the DNS reply arrives at almost the same instant the timeout fires, the timeout path and the worker thread race over the heap-allocated addrinfo result structure, leading to a use-after-free in rb_getaddrinfo. The affected component is the Ruby interpreter itself (cpe:2.3:a:ruby-lang:ruby), so any Ruby-based application or service performing name resolution with an explicit timeout - common in HTTP clients, job workers, and microservice frameworks - inherits the bug.

RemediationAI

Vendor-released patch: Ruby 4.0.5 - upgrade any Ruby 4.x installation to 4.0.5 or later as described in the official advisory at https://www.ruby-lang.org/en/news/2026/05/20/getaddrinfo-cve-2026-46727/. If immediate upgrade is not possible, the most direct workaround is to stop passing the timeout: argument to Addrinfo.getaddrinfo and the resolv_timeout: argument to Socket.tcp, which avoids the vulnerable pthread timeout path entirely; the trade-off is that name resolution will then block for the OS-level resolver timeout, potentially extending request latency under DNS failure. As a second compensating control, restrict outbound DNS for affected services to a trusted internal resolver and prevent the application from resolving attacker-controlled hostnames (e.g., validate or allowlist URLs before fetching), accepting the operational cost of an SSRF-style allowlist. Monitor for unexpected interpreter crashes / SIGSEGV in Ruby workers as a detection signal while patching is in progress.

More in Ruby

View all
CVE-2017-17405 HIGH POC
8.8 Dec 15

Ruby before 2.4.3 allows Net::FTP command injection. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2017-17790 CRITICAL POC
9.8 Dec 20

The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injectio

CVE-2017-14064 CRITICAL POC
9.8 Aug 31

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call

CVE-2016-2336 CRITICAL POC
9.8 Jan 06

Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Rated critical severi

CVE-2016-2337 CRITICAL POC
9.8 Jan 06

Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2016-2339 CRITICAL POC
9.8 Jan 06

An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Rub

CVE-2017-9225 CRITICAL POC
9.8 May 24

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7

CVE-2026-27614 CRITICAL POC
9.3 Feb 25

Stored XSS in Bugsink error tracking tool before 2.0.13 allows unauthenticated attackers to inject persistent scripts th

CVE-2017-0898 CRITICAL POC
9.1 Sep 15

Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) w

CVE-2013-4164 MEDIUM POC
6.8 Nov 23

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and tru

CVE-2019-16255 HIGH POC
8.1 Nov 26

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "c

CVE-2017-9229 HIGH POC
7.5 May 24

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy