Skip to main content

Red Hat CVE-2026-34831

| EUVDEUVD-2026-18392 MEDIUM
Improper Handling of Length Parameter Inconsistency (CWE-130)
2026-04-02 security-advisories@github.com GHSA-q2ww-5357-x388
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 03, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 17:22 euvd
EUVD-2026-18392
Analysis Generated
Apr 02, 2026 - 17:22 vuln.today
CVE Published
Apr 02, 2026 - 17:16 nvd
MEDIUM 4.8

DescriptionGitHub Advisory

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

AnalysisAI

HTTP response desynchronization in Rack web server framework versions prior to 2.2.23, 3.1.21, and 3.2.6 allows remote attackers to cause Content-Length header mismatches by requesting non-existent paths with percent-encoded UTF-8 characters. The vulnerability stems from Rack::Files#fail using String#size instead of String#bytesize when setting Content-Length, causing declared header values to be smaller than actual bytes transmitted, potentially leading to response framing errors and information disclosure in deployments sensitive to Content-Length validation. No public exploit code or confirmed active exploitation identified at time of analysis.

Technical ContextAI

Rack is a minimal Ruby web application interface specification that abstracts HTTP server operations. The vulnerability exists in the Rack::Files middleware class, specifically the #fail method responsible for generating 404 error responses. The root cause is CWE-130 (Improper Handling of Length Parameters), where String#size counts UTF-8 characters rather than bytes, while HTTP Content-Length headers must specify byte counts. When a 404 response body contains multibyte UTF-8 sequences (triggered by percent-encoded UTF-8 in the requested path being reflected in the error message), the mismatch between declared Content-Length and actual transmitted bytes violates HTTP response framing semantics. This can cause HTTP clients or intermediate proxies that enforce strict Content-Length validation to incorrectly parse response boundaries, leading to response desynchronization where subsequent requests on persistent connections read incorrect data.

RemediationAI

Upgrade Rack to version 2.2.23, 3.1.21, or 3.2.6 depending on the currently installed major/minor version. For Rails applications, update the Rack dependency via bundle update rack or by updating Rails itself to a version that depends on patched Rack. For standalone Rack applications, update the gemfile and run bundle install. The patch fixes Rack::Files#fail to use String#bytesize instead of String#size when calculating Content-Length headers. No workarounds are available for older versions; patching is the only remediation. Refer to GitHub security advisory GHSA-q2ww-5357-x388 and gem release notes for verification.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-34831 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy