Posted by hsbt on 20 May 2026

A use-after-free vulnerability has been discovered in the pthread-based getaddrinfo timeout handler of Ruby. This vulnerability has been assigned the CVE identifier CVE-2026-46727. This issue has been fixed in Ruby 4.0.5. We recommend upgrading Ruby.

Details

A race condition exists in the timeout cancellation path of rb_getaddrinfo used by Addrinfo.getaddrinfo(..., timeout:) and Socket.tcp(..., resolv_timeout:). A remote attacker who can delay DNS responses near the specified timeout may cause the Ruby process to dereference freed memory and crash.

Recommended action

Please update to Ruby 4.0.5 or later.

Workaround

If you cannot upgrade immediately, avoid passing timeout: to Addrinfo.getaddrinfo and resolv_timeout: to Socket.tcp.

Affected versions

  • Ruby 4.0.0 through 4.0.4
  • Ruby 4.1.0-dev (master) before the fix

Ruby 3.4 series and earlier are not affected.

Credits

Thanks to cantina-security for discovering this issue. Also thanks to shioimm for creating the patch.

History

  • Originally published at 2026-05-20 00:00:00 (UTC)