Skip to main content

Red Hat CVE-2026-33174

HIGH
Memory Allocation with Excessive Size Value (CWE-789)
2026-03-23 https://github.com/rails/rails
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 23, 2026 - 21:15 vuln.today
Patch released
Mar 23, 2026 - 21:15 nvd
Patch available
CVE Published
Mar 23, 2026 - 21:08 nvd
HIGH 7.5

DescriptionGitHub Advisory

Impact

When serving files through Active Storage's Blobs::ProxyController, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. bytes=0-) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.

Releases

The fixed releases are available at the normal locations.

AnalysisAI

Rails Active Storage's Blobs::ProxyController loads entire requested byte ranges into memory before transmission, allowing remote unauthenticated attackers to exhaust server memory and cause denial of service by sending requests with large or unbounded Range headers. This vulnerability affects systems using Active Storage for file serving and requires no user interaction or authentication to exploit. A patch is available.

Technical ContextAI

The vulnerability resides in Ruby on Rails' Active Storage library (pkg:rubygems/activestorage), specifically the Blobs::ProxyController component responsible for serving user-uploaded files over HTTP. The underlying issue is classified as CWE-789 (Memory Allocation with Excessive Size Value), a weakness where application code fails to validate or bound the size of memory allocations requested by user input. When a client sends an HTTP Range header (RFC 7233) such as 'bytes=0-' or 'bytes=0-999999999', the controller loads the entire requested byte range into memory as a buffer before streaming the response to the client. This design fails to implement streaming or chunked processing that would limit memory consumption to a small, constant buffer size regardless of file size, instead proportionally allocating memory to match the requested range.

RemediationAI

Immediately upgrade Ruby on Rails to version 7.2.3.1, 8.0.4.1, 8.1.2.1, or later; patches are available from the vendor at the normal distribution channels (rubygems.org and GitHub releases at https://github.com/rails/rails/releases). The fix is implemented across three commits (2cd933c366b777f873d4d590127da2f4a25e4ba5, 42012eaaa88dfc7d0030161b2bc8074a7bbce92a, and 8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b) that modify the Range request handling to stream data with bounded memory allocation. For organizations unable to patch immediately, implement network-level mitigations such as rate limiting on file-serving endpoints, request size restrictions at the reverse proxy or load balancer level, and IP whitelisting where feasible. Monitor memory usage and connection counts on Active Storage endpoints and configure alerting for anomalous patterns.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.0 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed

Share

CVE-2026-33174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy