HIGH
Ruby Lang
CVE published 2026-05-22
CVE-2026-46727
A race condition in Ruby 4's pthread-based getaddrinfo timeout handler (rb_getaddrinfo) creates a use-after-free vulnerability. The flaw exists in ext/socket/raddrinfo.c when Addrinfo.getaddrinfo() or Socket.tcp() is called with a timeout parameter. A remote attacker who can delay DNS responses near the user-specified timeout window can trigger process crashes. The attack vector requires network positioni [truncated]