Ruby 4.0.5

So Ruby 4.0.5 just quietly dropped, and if you blinked you probably missed it. TL;DR: it is a security release, nothing flashy — but you should still update ASAP.

What Actually Changed?

One fix. One critical fix. Ruby 4.0.5 patches CVE-2026-46727, a use-after-free vulnerability in the pthread-based getaddrinfo timeout handler. If you are running Ruby 4.0.0 through 4.0.4, your DNS resolution path has a race condition that can lead to memory corruption. Not great.

The vulnerability was discovered internally by the Ruby core team and responsibly disclosed. The fix is a targeted backport — minimal diff, maximum impact.

No New Features, No Breaking Changes

This release is surgical. Zero new APIs. Zero deprecations. Zero performance tweaks. The commit history between 4.0.4 and 4.0.5 is basically just the security patch and a version bump. If you hate surprise breakage from minor updates, this is your kind of release.

But honestly? That is exactly what you want from a security patch. Clean, minimal, auditable.

Upgrade or Regret It

gem update ruby — or however you manage your Ruby installation (rbenv, RVM, asdf). The fix is in. The CVE has been published with a detailed analysis. Waiting is not an option.

The 4.0.x line has been rock solid since the big 4.0.0 Christmas 2025 launch, and this patch keeps it that way. Props to the Ruby core team for the quick turnaround.