CVE-2026-54904: Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN`

June 19, 2026

Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN.

The issue is caused by the interaction between:

AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds.
Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.
Ruby NaN semantics, where Float::NAN == Float::NAN is always false.

As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller’s block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-54904 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →