Ruby Race Condition Vulnerability in getaddrinfo Timeout Handler Allowing Use-After-Free

A race condition leading to a use-after-free vulnerability has been identified in Ruby versions 4.0.0 prior to 4.0.5 and in Ruby 4.1.0-dev (master) before the fix. The issue arises in the pthread-based getaddrinfo timeout handler, rb_getaddrinfo, located in ext/socket/raddrinfo.c. This vulnerability allows a remote attacker who can delay DNS responses close to the user-specified timeout to crash a Ruby process that uses Addrinfo.getaddrinfo(..., timeout:) or Socket.tcp(..., resolv_timeout:). While the primary consequence is a crash, memory-corruption-based exploitation is theoretically possible, potentially through a crafted authoritative DNS server or recursive resolver.

Impact

Exploitation of this vulnerability leads to a crash of the Ruby process, with the possibility of memory-corruption-based exploitation.

Remediation

Users are advised to upgrade to Ruby 4.0.5 or later. If an immediate upgrade is not possible, avoid using the timeout parameter with Addrinfo.getaddrinfo and the resolv_timeout parameter with Socket.tcp.