Posted by hsbt on 20 May 2026
A use-after-free vulnerability has been discovered in the pthread-based getaddrinfo timeout handler of Ruby. This vulnerability has been assigned the CVE identifier CVE-2026-46727. This issue has been fixed in Ruby 4.0.5. We recommend upgrading Ruby.
Details
A race condition exists in the timeout cancellation path of rb_getaddrinfo used by Addrinfo.getaddrinfo(..., timeout:) and Socket.tcp(..., resolv_timeout:). A remote attacker who can delay DNS responses near the specified timeout may cause the Ruby process to dereference freed memory and crash.
Recommended action
Please update to Ruby 4.0.5 or later.
Workaround
If you cannot upgrade immediately, avoid passing timeout: to Addrinfo.getaddrinfo and resolv_timeout: to Socket.tcp.
Affected versions
- Ruby 4.0.0 through 4.0.4
- Ruby 4.1.0-dev (master) before the fix
Ruby 3.4 series and earlier are not affected.
Credits
Thanks to cantina-security for discovering this issue. Also thanks to shioimm for creating the patch.
History
- Originally published at 2026-05-20 00:00:00 (UTC)
0 Comments
Log in to join the conversation.No comments yet. Be the first to share your thoughts.