Skip to main content

Red Hat CVE-2026-34826

| EUVDEUVD-2026-18386 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-02 security-advisories@github.com GHSA-x8cg-fq8g-mxfx
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 03, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 17:22 euvd
EUVD-2026-18386
Analysis Generated
Apr 02, 2026 - 17:22 vuln.today
CVE Published
Apr 02, 2026 - 17:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

AnalysisAI

Denial of service in Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 allows unauthenticated remote attackers to consume disproportionate CPU, memory, I/O, and bandwidth by supplying many small overlapping byte ranges in HTTP Range headers, bypassing the existing CVE-2024-26141 fix that only validates total byte coverage. The vulnerability affects Rack's file-serving paths that process multipart byte range responses, enabling attackers to degrade service availability with minimal request complexity.

Technical ContextAI

Rack is a foundational Ruby web application interface that standardizes HTTP server communication. The vulnerability exists in the Rack::Utils.get_byte_ranges method, which parses the HTTP Range header (RFC 7233) to support partial content delivery and resume functionality. The root cause is classified as CWE-400 (Uncontrolled Resource Consumption), specifically the lack of a limit on the count of individual byte ranges within a single Range header. While the prior CVE-2024-26141 patch added validation to reject ranges whose combined byte coverage exceeds the file size, it did not implement a cap on the number of distinct ranges. An attacker can craft a Range header containing hundreds or thousands of small, overlapping ranges (e.g., 'bytes=0-0,0-0,0-0,...') that individually pass validation but collectively trigger excessive parsing, memory allocation, and I/O operations when the server constructs multipart/byteranges responses.

RemediationAI

Vendors and users must upgrade to patched versions: Rack 2.2.23, 3.1.21, or 3.2.6 depending on their current branch. Administrators should update via their package manager (bundler, gem, etc.) with 'bundle update rack' or equivalent. The patch introduces a limit on the maximum number of byte ranges accepted in a single Range header, preventing the unbounded consumption attack. As a temporary workaround pending patching, operators may disable HTTP Range header support via reverse proxy or application-level configuration if file resumption is not critical to their service, or implement upstream rate limiting on Range requests. Detailed remediation guidance is available in the advisory at https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-34826 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy