DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34826: CVE-2026-34826: Denial of Service via Unbounded Range Count in Rack

#security #cve #cybersecurity

CVE-2026-34826: Denial of Service via Unbounded Range Count in Rack

Vulnerability ID: CVE-2026-34826
CVSS Score: 5.3
Published: 2026-04-02

CVE-2026-34826 is an uncontrolled resource consumption vulnerability in Rack's HTTP Range header parser, specifically within Rack::Utils.get_byte_ranges. By failing to limit the number of byte ranges processed in a single request, an unauthenticated attacker can induce a denial-of-service condition through CPU, memory, and I/O exhaustion. This issue affects multiple versions of the Rack web server interface and is fully patched in versions 2.2.23, 3.1.21, and 3.2.6.

TL;DR

Unbounded parsing of HTTP Range headers in Rack allows remote, unauthenticated attackers to cause a denial-of-service condition. By sending thousands of range segments in a single request, attackers exhaust server CPU, memory, and I/O resources during multipart MIME generation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400, CWE-770
  • Attack Vector: Network
  • CVSS Score: 5.3
  • Impact: Partial Availability
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Ruby on Rails applications using Rack
  • Sinatra applications using Rack
  • Any Ruby web framework utilizing Rack's static file serving components
  • Rack: < 2.2.23 (Fixed in: 2.2.23)
  • Rack: >= 3.0.0.beta1, < 3.1.21 (Fixed in: 3.1.21)
  • Rack: >= 3.2.0, < 3.2.6 (Fixed in: 3.2.6)

Code Analysis

Commit: 9138756

Limit the maximum number of byte ranges in Rack::Utils.get_byte_ranges

Mitigation Strategies

  • Upgrade the Rack gem to a non-vulnerable release.
  • Implement a WAF rule to drop HTTP requests containing more than 50 commas in the Range header.
  • Configure web servers (e.g., Nginx, Apache) proxying to Rack to limit the maximum allowed size of HTTP headers.

Remediation Steps:

  1. Identify all applications utilizing the Rack library in the environment.
  2. Determine the current version of Rack in use via the Gemfile.lock.
  3. Update the Gemfile to specify a patched version (2.2.23, 3.1.21, or 3.2.6).
  4. Execute bundle update rack to fetch and apply the updated dependency.
  5. Deploy the application and verify that file serving functionality remains operational.
  6. Optionally, test the endpoint with the provided PoC curl command to ensure the server gracefully rejects the malicious request.

References

Read the full report for CVE-2026-34826 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)