CVE-2026-33306 (bcrypt): bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on ...

The RubyLA blog offers insights, tutorials, and community updates for Ruby developers in Los Angeles and beyond. Developers can explore Ruby language features, web development frameworks, and best practices for building Ruby applications. Additionally, the blog covers Ruby meetups, events, and job opportunities in the Los Angeles area, fostering collaboration and networking within the local Ruby community.

RUBYLAND

A security advisory (CVE-2026-33306) discloses an integer overflow bug in the JRuby implementation of bcrypt-ruby. When the bcrypt cost parameter is set to 31, a signed 32-bit integer overflow causes the key-strengthening loop to execute zero iterations instead of 2^31, effectively reducing bcrypt to constant-time computation. The resulting hash appears valid and passes verification, making the weakness invisible to applications. The fix is available in bcrypt-ruby version 3.1.22; the workaround is to use a cost value below 31.

CVE-2026-33306 (bcrypt): bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby