Integer Overflow in bcrypt-ruby Affects JRuby Implementation
CVE-2026-33306

4.5MEDIUM

Key Information:

Vendor

Bcrypt-ruby

Status
Bcrypt-ruby
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33306?

The bcrypt-ruby gem, which provides Ruby bindings for the OpenBSD bcrypt() password hashing algorithm, is affected by an integer overflow vulnerability in its JRuby implementation. Specifically, when the strength cost is set to 31, the signed integer overflow results in the key-strengthening loop executing zero iterations. This issue effectively reduces the security of password hashing from an exponential complexity of 2^31 rounds to a constant-time operation. Although the resulting hash appears valid and verifies correctly, the vulnerability poses a significant risk if exploited, as applications relying on this setting may be compromised. Users are advised to upgrade to version 3.1.22 or adjust the cost to below 31 as a temporary workaround.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

bcrypt-ruby < 3.1.22

References

https://github.com/bcrypt-ruby/bcrypt-ruby/security/advis...
x_refsource_CONFIRM
https://github.com/bcrypt-ruby/bcrypt-ruby/commit/831ce64...
x_refsource_MISC
https://github.com/bcrypt-ruby/bcrypt-ruby/releases/tag/v...
x_refsource_MISC

CVSS V4

Score:
4.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.