Integer overflow in Bcrypt-ruby

CVE-2026-33306

bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt() password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted appl…

Vulnerability class: Integer Overflow

EPSS: 0.000 (1.1th percentile) — read the EPSS interpretation.

Affected products

Bcrypt-ruby — versions < 3.1.22

Weakness classification (CWE)

CWE-190 — Integer Overflow or Wraparound

References

https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954 (x_refsource_CONFIRM)
https://github.com/bcrypt-ruby/bcrypt-ruby/commit/831ce64cb0a9502130fa93a28bfd9527a5fa45c4 (x_refsource_MISC)
https://github.com/bcrypt-ruby/bcrypt-ruby/releases/tag/v3.1.22 (x_refsource_MISC)