There are 3 security fixes in this release, so updating is recommended.
These security vulnerabilities are not very likely to be hit in practice and have a corresponding Low severity score.
What's Changed
- CVE-2026-54904
AtomicReference#updatelivelocks when the stored value isFloat::NAN. Fix by @joshuay03 and @eregon - CVE-2026-54905
ReentrantReadWriteLockread-count overflow grants a write lock without exclusivity. Fix by @joshuay03 - CVE-2026-54906
ReadWriteLockallows wrong-thread write release and stray read-release counter corruption. Fix by @joshuay03 - concurrent-ruby-ext: fix build on Darwin 32-bit by @barracuda156 in #1064
- Add SECURITY.md by @eregon in #1104
- Add Ruby 4.0 in CI by @eregon in #1106
New Contributors
- @barracuda156 made their first contribution in #1064
Full Changelog: v1.3.6...v1.3.7
Contributors
eregon, joshuay03, and barracuda156