A use-after-free vulnerability has been discovered in the pthread-based getaddrinfo timeout handler of Ruby. This vulnerability has been assigned the CVE ide...

Ruby is a dynamic, object-oriented programming language known for its simplicity and elegance, offering a productive and enjoyable development experience for software engineers. Developers can learn about Ruby programming fundamentals, web development with Ruby on Rails, and building scalable and maintainable applications with Ruby's expressive syntax and rich ecosystem of libraries and frameworks.

Ruby

A use-after-free vulnerability (CVE-2026-46727) has been found in Ruby's pthread-based getaddrinfo timeout handler. A race condition in the timeout cancellation path of rb_getaddrinfo, used by Addrinfo.getaddrinfo and Socket.tcp, can allow a remote attacker who delays DNS responses near the timeout threshold to cause the Ruby process to dereference freed memory and crash. Affected versions are Ruby 4.0.0 through 4.0.4 and 4.1.0-dev before the fix. Ruby 3.4 and earlier are not affected. The fix is included in Ruby 4.0.5. As a workaround, avoid passing timeout: to Addrinfo.getaddrinfo or resolv_timeout: to Socket.tcp.

CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler