From 165edd26eaabef396be2767cbbcd83b8335c868e Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Fri, 20 Mar 2026 09:48:13 -0400
Subject: [PATCH] GHSA/SYNC: 1 brand new advisory

---
 gems/bcrypt/CVE-2026-33306.yml | 43 ++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 gems/bcrypt/CVE-2026-33306.yml

diff --git a/gems/bcrypt/CVE-2026-33306.yml b/gems/bcrypt/CVE-2026-33306.yml
new file mode 100644
index 0000000000..06e63aec77
--- /dev/null
+++ b/gems/bcrypt/CVE-2026-33306.yml
@@ -0,0 +1,43 @@
+---
+gem: bcrypt
+cve: 2026-33306
+ghsa: f27w-vcwj-c954
+url: https://github.com/advisories/GHSA-f27w-vcwj-c954
+title: bcrypt-ruby has an Integer Overflow that Causes Zero
+  Key-Strengthening Iterations at Cost=31 on JRuby
+date: 2026-03-19
+description: |
+  ### Impact
+
+  An integer overflow in the Java BCrypt implementation for JRuby can
+  cause zero iterations in the strengthening loop.  Impacted
+  applications must be setting the cost to 31 to see this happen.
+
+  The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes
+  the key-strengthening round count as a signed 32-bit integer.
+  When `cost=31` (the maximum allowed by the gem), signed integer
+  overflow causes the round count to become negative, and the
+  strengthening loop executes **zero iterations**. This collapses
+  bcrypt from 2^31 rounds of exponential key-strengthening to
+  effectively constant-time computation — only the initial
+  EksBlowfish key setup and final 64x encryption phase remain.
+
+  The resulting hash looks valid (`$2a$31$...`) and verifies
+  correctly via `checkpw`, making the weakness invisible to the
+  application. This issue is triggered only when cost=31 is
+  used or when verifying a `$2a$31$` hash.
+
+  ### Patches
+
+  This problem has been fixed in version 3.1.22
+
+  ### Workarounds
+
+  Set the cost to something less than 31.
+patched_versions:
+  - ">= 3.1.22"
+related:
+  url:
+    - https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954
+    - https://github.com/bcrypt-ruby/bcrypt-ruby/commit/5faa2748331d3edc661c127ef2fbb3afcb6b02a4
+    - https://github.com/advisories/GHSA-f27w-vcwj-c954