CVE-2026-33176

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation without Limits8 documents7 sources

Severity

6.6MEDIUM

EPSS

0.0%

top 94.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rails Activesupport Rubyonrails Rails

Timeline

PublishedMar 24

Description

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, an…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5rails/activesupport< 7.2.3.1+2

▶RubyGemsactivesupport8.1.0.beta1 — 8.1.2.1+2

▶NVDrubyonrails/rails8.0.0 — 8.0.4.1+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33176: Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework↗2026-03-24

▶

GHSA

Rails Active Support has a possible DoS vulnerability in its number helpers↗2026-03-23

▶

CVEList

Rails Active Support has a possible DoS vulnerability in its number helpers↗2026-03-23

▶

OSV

Rails Active Support has a possible DoS vulnerability in its number helpers↗2026-03-23

▶

📋Vendor Advisories

Red Hat

Rails: Active Support: Active Support: Denial of Service via large scientific notation strings↗2026-03-23

▶

Debian

CVE-2026-33176: rails - Active Support is a toolkit of support libraries and Ruby core extensions extrac...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33176 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶