Skip to main content

Red Hat EUVDEUVD-2026-18378

| CVE-2026-34230 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-02 security-advisories@github.com GHSA-v569-hp3g-36wr
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 03, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 17:22 euvd
EUVD-2026-18378
Analysis Generated
Apr 02, 2026 - 17:22 vuln.today
CVE Published
Apr 02, 2026 - 17:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

AnalysisAI

Denial of service in Rack::Utils.select_best_encoding allows unauthenticated remote attackers to consume disproportionate CPU resources via a crafted Accept-Encoding header containing multiple wildcard entries, affecting Rack versions prior to 2.2.23, 3.1.21, and 3.2.6. The vulnerability exploits quadratic time complexity in the encoding selection algorithm used by Rack::Deflater middleware, enabling a single HTTP request to trigger sustained CPU exhaustion and application unavailability.

Technical ContextAI

Rack is a foundational Ruby web server interface library that provides middleware components for HTTP request/response handling. The Rack::Utils.select_best_encoding method processes the Accept-Encoding HTTP header to determine optimal compression algorithms for responses. The vulnerability stems from a CWE-400 uncontrolled resource consumption flaw: when the Accept-Encoding header contains numerous wildcard (*) entries, the algorithm exhibits quadratic time complexity in processing these values. Rack::Deflater, a widely-used middleware component, directly invokes this method to select response encoding, making the compression pipeline a direct attack vector. The issue affects Rack across multiple major versions: 2.x series prior to 2.2.23, 3.1.x prior to 3.1.21, and 3.2.x prior to 3.2.6. Applications using the CPE rack component (specifically rack-deflater) with any vulnerable version exposed.

RemediationAI

Upgrade Rack to version 2.2.23 (for 2.x users), 3.1.21 (for 3.1.x users), or 3.2.6 (for 3.2.x users). For Rails applications, update the Rack gem dependency in Gemfile and run bundle update rack; for standalone Rack applications, update the gem dependency and redeploy. If immediate patching is not feasible, organizations can mitigate by disabling Rack::Deflater middleware temporarily, implementing HTTP request header size limits at the reverse proxy or load balancer level to reject Accept-Encoding headers exceeding reasonable lengths, or rate-limiting requests with suspicious Accept-Encoding patterns. See the GitHub security advisory at https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr for additional context and patch release notes.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy