CVE-2026-34826Allocation of Resources Without Limits or Throttling in Rack

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption10 documents8 sources
Severity
5.3MEDIUMNVD
CNA5.8GHSA7.5OSV7.5
EPSS
0.1%
top 81.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rack
Timeline
PublishedApr 2
Latest updateApr 17

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumptio

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5rack/rack< 2.2.23+2
RubyGemsrack/rack3.0.0.beta13.1.21+2

🔴Vulnerability Details

5
OSV
CVE-2026-34826: (Rack is a modular Ruby web server interface2026-04-03
OSV
CVE-2026-34826: Rack is a modular Ruby web server interface2026-04-02
CVEList
Rack: Unbounded Range Count in get_byte_ranges Enables DoS2026-04-02
GHSA
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges2026-04-02
OSV
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges2026-04-02

📋Vendor Advisories

3
Ubuntu
Rack vulnerabilities2026-04-17
Red Hat
rack: Rack: Denial of Service via malicious HTTP Range header2026-04-02
Debian
CVE-2026-34826: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-34826 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-34826 — Rack vulnerability | cvebase