Add cve-2026-46727 and write up a 4.0.5 release post

Author: k0kubun

en/news/_posts/2026-05-20-getaddrinfo-cve-2026-46727.md

@@ -0,0 +1,38 @@
+---
+layout: news_post
+title: "CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler"
+author: "hsbt"
+translator:
+date: 2026-05-20 00:00:00 +0000
+tags: security
+lang: en
+---
+
+A use-after-free vulnerability has been discovered in the pthread-based `getaddrinfo` timeout handler of Ruby. This vulnerability has been assigned the CVE identifier [CVE-2026-46727](https://www.cve.org/CVERecord?id=CVE-2026-46727). This issue has been fixed in Ruby 4.0.5. We recommend upgrading Ruby.
+
+## Details
+
+A race condition exists in the timeout cancellation path of `rb_getaddrinfo` used by `Addrinfo.getaddrinfo(..., timeout:)` and `Socket.tcp(..., resolv_timeout:)`. A remote attacker who can delay DNS responses near the specified timeout may cause the Ruby process to dereference freed memory and crash.
+
+## Recommended action
+
+Please update to Ruby 4.0.5 or later.
+
+## Workaround
+
+If you cannot upgrade immediately, avoid passing `timeout:` to `Addrinfo.getaddrinfo` and `resolv_timeout:` to `Socket.tcp`.
+
+## Affected versions
+
+* Ruby 4.0.0 through 4.0.4
+* Ruby 4.1.0-dev (master) before the fix
+
+Ruby 3.4 series and earlier are not affected.
+
+## Credits
+
+Thanks to [cantina-security](https://hackerone.com/cantina-security) for discovering this issue. Also thanks to [shioimm](https://github.com/shioimm) for creating the patch.
+
+## History
+
+* Originally published at 2026-05-20 00:00:00 (UTC)

en/news/_posts/2026-05-20-ruby-4-0-5-released.md

@@ -1,16 +1,26 @@
 ---
 layout: news_post
 title: "Ruby 4.0.5 Released"
-author:
+author: k0kubun
 translator:
 date: 2026-05-20 00:12:20 +0000
 lang: en
 ---
 
 Ruby 4.0.5 has been released.
 
+This release only contains a security fix for
+[CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler](/en/news/2026/05/20/getaddrinfo-cve-2026-46727/)
+and a build system regression under C locale ([[Bug #22065]](https://bugs.ruby-lang.org/issues/22065)).
+
 Please see the [GitHub releases](https://github.com/ruby/ruby/releases/tag/v4.0.5) for further details.
 
+## Release Schedule
+
+We intend to release the latest stable Ruby version (currently Ruby 4.0) every two months following the most recent *regular* release. Ruby 4.0.6 will be released in July, 4.0.7 in September, and 4.0.8 in November.
+
+If a change arises that significantly affects users, a release may occur earlier than planned, and the subsequent schedule may shift accordingly.
+
 ## Download
 
 {% assign release = site.data.releases | where: "version", "4.0.5" | first %}