CVE-2026-34826
published 2026-04-02CVE-2026-34826: Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.38%
29.9th percentile
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 3.2.6-2 (sid) | ruby-rack 3.2.6-2 (sid) |
| rack | rack | < 2.2.23 | 2.2.23 |
| rack | rack | >= 0 < 2.2.23 | 2.2.23 |
| rack | rack | >= 3.0.0 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.0.0.beta1 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian5.8MEDIUM
vendor_redhat5.8MEDIUM
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2026-04-17·CVSS 3.7
CVE-2026-26962 [LOW] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
Andrew Lacambra discovered that Rack did not properly parse certain regular
expressions. An attacker could possibly use this issue to bypass network
security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-26961)
William T. Nelson discovered that Rack did not handle multipart headers
correctly. An attacker could possibly use this issue to cause downstream
parsing issues or a denial of service. This issue only affected Ubuntu
25.10. (CVE-2026-26962)
It was discovered that Rack did not handle the Forwarded header correctly.
An attacker could possibly use this issue to manipulate header values. This
issue only affected Ubuntu 25.10. (CVE-2026
Red Hat
rack: Rack: Denial of Service via malicious HTTP Range header
vendor_redhat·2026-04-02·CVSS 5.8
CVE-2026-34826 [MEDIUM] CWE-770 rack: Rack: Denial of Service via malicious HTTP Range header
rack: Rack: Denial of Service via malicious HTTP Range header
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
A flaw was found in Rack. A remote a
Debian
CVE-2026-34826: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...
vendor_debian·2026·CVSS 5.8
CVE-2026-34826 [MEDIUM] CVE-2026-34826: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: resolved (fixed in 3.2.6-2)
trixie: open
OSV
CVE-2026-34826: (Rack is a modular Ruby web server interface
osv·2026-04-03·CVSS 5.3
CVE-2026-34826 [MEDIUM] CVE-2026-34826: (Rack is a modular Ruby web server interface
(Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
OSV
CVE-2026-34826: Rack is a modular Ruby web server interface
osv·2026-04-02·CVSS 7.5
CVE-2026-34826 [HIGH] CVE-2026-34826: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
GHSA
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
ghsa·2026-04-02·CVSS 7.5
CVE-2026-34826 [HIGH] CWE-400 Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
## Summary
`Rack::Utils.get_byte_ranges` parses the HTTP `Range` header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as `0-0,0-0,0-0,...` to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request.
This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses.
## Details
`Rack::Utils.get_byte_ranges` accepts a comma-separated list of byte ranges and validates them based on their aggregate size, b
OSV
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
osv·2026-04-02·CVSS 7.5
CVE-2026-34826 [HIGH] Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
## Summary
`Rack::Utils.get_byte_ranges` parses the HTTP `Range` header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as `0-0,0-0,0-0,...` to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request.
This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses.
## Details
`Rack::Utils.get_byte_ranges` accepts a comma-separated list of byte ranges and validates them based on their aggregate size, b
No detection rules found.
No public exploits indexed.
2026-04-02
Published