Which versions of Red Hat are affected by CVE-2026-33210?

A vulnerability in the Ruby JSON gem could allow attackers to disrupt services or access sensitive information, but only affects systems using a non-default parsing configuration.. A patch is available.

Red Hat CVE-2026-33210

Q: What is the CVSS score of CVE-2026-33210?

CVE-2026-33210 has a CVSS 4.0 base score of 8.3 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

HIGH

Use of Externally-Controlled Format String (CWE-134)

2026-03-19 https://github.com/ruby/json

GHSA-3m6g-2423-7cp3

Denial Of Service Information Disclosure Red Hat Suse

8.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 19, 2026 - 13:00 vuln.today

CVE Published

Mar 19, 2026 - 12:45 nvd

HIGH 8.3

DescriptionNVD

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

AnalysisAI

A format string injection vulnerability exists in the Ruby JSON gem that can lead to denial of service attacks or information disclosure when parsing user-supplied documents with the non-default 'allow_duplicate_key: false' parsing option enabled. The vulnerability affects users of the pkg:rubygems/json package who have explicitly opted into using this specific parsing configuration. …

RemediationAI

Within 24 hours: Identify all Ruby applications using the json gem with 'allow_duplicate_key: false' option enabled through code review and dependency scanning. Within 7 days: Implement compensating controls such as input validation, disabling the vulnerable parsing option if not business-critical, or isolating affected systems from untrusted input sources. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-33210 vulnerability details – vuln.today

Back

Red Hat CVE-2026-33210

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

Red Hat CVE-2026-33210

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code