CVE-2026-54904— concurrent-ruby AtomicReference#update更新NaN值时活锁漏洞
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2026-54904 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
concurrent-ruby: `AtomicReference#update` livelocks when the stored value is `Float::NAN`
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
不可达退出条件的循环(无限循环)
来源: 美国国家漏洞数据库 NVD
受影响产品
| 厂商 | 产品 | 影响版本 | CPE | 订阅 |
|---|---|---|---|---|
| ruby-concurrency | concurrent-ruby | < 1.3.7 | - |
二、漏洞 CVE-2026-54904 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2026-54904 的情报信息
请登录查看更多情报信息。
CVE-2026-54904 其他参考 (1)
同批安全公告 · ruby-concurrency · 2026-06-24 · 共 3 条
| CVE-2026-54906 | concurrent-ruby读写锁允许错误线程写入释放和读取计数损坏 | |
| CVE-2026-54905 | concurrent-ruby ReentrantReadWriteLock 读计数溢出致非独占写锁 |
IV. Related Vulnerabilities
V. Comments for CVE-2026-54904
暂无评论