Skip to main content

Red Hat CVE-2026-33176

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-03-23 https://github.com/rails/rails
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 23, 2026 - 21:15 vuln.today
Patch released
Mar 23, 2026 - 21:15 nvd
Patch available
CVE Published
Mar 23, 2026 - 21:15 nvd
HIGH 7.5

DescriptionGitHub Advisory

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

AnalysisAI

Rails ActiveSupport number helpers contain a denial of service vulnerability where strings with scientific notation (e.g., '1e10000') are improperly converted and expanded into extremely large decimal representations, causing excessive memory allocation and CPU consumption during string formatting. The vulnerability affects ActiveSupport across multiple Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1. An attacker can exploit this by providing maliciously crafted scientific notation strings to trigger resource exhaustion and deny service to legitimate users.

Technical ContextAI

The vulnerability exists in Ruby on Rails' ActiveSupport library (pkg:rubygems/activesupport), which provides utility functions for number formatting and conversion. Specifically, the number helper methods accept string inputs containing scientific notation without proper validation before conversion and formatting operations. When a string like '1e10000' is processed, the underlying conversion logic expands the exponent into its full decimal representation, creating a string potentially millions of characters long. This represents a classic CWE-400 (Uncontrolled Resource Consumption) vulnerability where input validation fails to prevent algorithmic complexity attacks. The root cause is the lack of bounds checking on the exponent value before expansion, allowing attackers to craft inputs that trigger quadratic or worse computational complexity during number formatting.

RemediationAI

Upgrade Rails and ActiveSupport to the patched versions immediately: Rails 7.2.3.1 or later, Rails 8.0.4.1 or later, or Rails 8.1.2.1 or later. The patches are available from the normal Rails distribution channels and GitHub releases at https://github.com/rails/rails/releases/tag/v7.2.3.1, https://github.com/rails/rails/releases/tag/v8.0.4.1, and https://github.com/rails/rails/releases/tag/v8.1.2.1. As a temporary mitigation for applications unable to patch immediately, implement input validation on any user-supplied strings before passing them to number helper methods, specifically rejecting or sanitizing strings containing scientific notation (patterns like '1e' followed by large digits). Additionally, apply rate limiting and request size limits at the application or reverse proxy level to prevent resource exhaustion attacks.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.0 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed

Share

CVE-2026-33176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy