CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler
Posted by hsbt on 20 May 2026
A use-after-free vulnerability has been discovered in the pthread-based getaddrinfo timeout handler of Ruby. This vulnerability has been assigned the CVE identifier CVE-2026-46727. This issue has been fixed in Ruby 4.0.5. We recommend upgrading Ruby.
Details
A race condition exists in the timeout cancellation path of rb_getaddrinfo used by Addrinfo.getaddrinfo(..., timeout:) and Socket.tcp(..., resolv_timeout:). A remote attacker who can delay DNS responses near the specified timeout may cause the Ruby process to dereference freed memory and crash.
Recommended action
Please update to Ruby 4.0.5 or later.
Workaround
If you cannot upgrade immediately, avoid passing timeout: to Addrinfo.getaddrinfo and resolv_timeout: to Socket.tcp.
Affected versions
- Ruby 4.0.0 through 4.0.4
- Ruby 4.1.0-dev (master) before the fix
Ruby 3.4 series and earlier are not affected.
Credits
Thanks to cantina-security for discovering this issue. Also thanks to shioimm for creating the patch.
History
- Originally published at 2026-05-20 00:00:00 (UTC)
Recent News
Ruby 4.0.5 Released
Ruby 4.0.5 has been released.
Posted by k0kubun on 20 May 2026
Ruby 4.0.4 Released
Ruby 4.0.4 has been released.
Posted by k0kubun on 11 May 2026
Ruby 4.0.3 Released
Ruby 4.0.3 has been released.
Posted by k0kubun on 21 Apr 2026
Ruby 3.2.11 Released
Ruby 3.2.11 has been released. This release includes an update to the zlib gem addressing CVE-2026-27820.
Posted by hsbt on 27 Mar 2026