CVE-2026-46727 Ruby Lang CVE debrief

Who should care

Organizations running Ruby 4.0.0-4.0.4 in production environments, particularly those with externally-facing services that perform DNS resolution with user-controlled hostnames or timeout parameters. Cloud providers, hosting platforms, and applications using Ruby's socket libraries with timeout configurations are at elevated risk.

Technical summary

The vulnerability resides in rb_getaddrinfo() in ext/socket/raddrinfo.c, which implements timeout handling for DNS resolution using pthreads. The race condition occurs between timeout expiration and getaddrinfo completion, leading to use-after-free when the timeout handler frees resources still in use by the resolution thread. Affected APIs include Addrinfo.getaddrinfo(..., timeout:) and Socket.tcp(..., resolv_timeout:). The attack requires precise timing control over DNS responses, making exploitation complex but achievable for attackers with DNS infrastructure access.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Ruby to version 4.0.5 or later to eliminate the vulnerable code path
• If immediate patching is not feasible, avoid using timeout parameters with Addrinfo.getaddrinfo() and Socket.tcp() where attacker-influenced DNS resolution is possible
• Monitor for unexpected Ruby process crashes in applications performing DNS resolution with timeouts
• Review DNS infrastructure for signs of timing manipulation attempts
• Apply principle of least privilege to Ruby processes to limit impact of potential memory corruption

Evidence notes

Vendor advisory confirms affected versions 4.0.0 through 4.0.4, with fix in 4.0.5. HackerOne report indicates coordinated disclosure. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H reflects network attack vector with high attack complexity due to timing requirements.

Official resources