Platform
ruby
Component
rack
Fixed in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34826 describes a Denial of Service (DoS) vulnerability within the Ruby Rack library's Rack::Utils.getbyteranges function. This flaw allows attackers to exhaust server resources by crafting requests with a large number of overlapping byte range specifications. The vulnerability impacts Rack versions 2.2.9 and earlier, and a fix is available in version 2.2.23.
An attacker exploiting CVE-2026-34826 can induce a denial of service by sending a flood of HTTP requests, each containing a multitude of small, overlapping byte range specifications. The Rack::Utils.getbyteranges function, without proper range count limitation, processes each range individually, leading to disproportionate consumption of CPU, memory, I/O, and network bandwidth. This can effectively overwhelm the server, rendering it unresponsive to legitimate requests. The blast radius extends to any application relying on Rack for file serving, potentially impacting user access and overall system availability. This vulnerability is similar in concept to resource exhaustion attacks targeting other web frameworks, where excessive parsing or processing of malformed requests can lead to service disruption.
CVE-2026-34826 was publicly disclosed on April 2, 2026. The vulnerability's severity is currently assessed as MEDIUM. There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. It is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it relatively straightforward to exploit.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34826 is to upgrade to Rack version 2.2.23 or later, which includes the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing temporary workarounds. One approach is to configure a reverse proxy or web application firewall (WAF) to limit the number of byte ranges allowed per HTTP request. Additionally, rate limiting incoming requests can help prevent attackers from overwhelming the server with malicious traffic. Monitor server resource utilization (CPU, memory, bandwidth) for unusual spikes that could indicate an ongoing attack. After upgrading, confirm the fix by sending a request with a large number of overlapping byte ranges and verifying that the server does not experience excessive resource consumption or become unresponsive.
Update the Rack gem to version 2.2.23, 3.1.21, or 3.2.6, or later, as appropriate for your current version. This will address the denial of service vulnerability caused by unlimited byte range processing in HTTP Range headers.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34826 is a denial-of-service vulnerability in the Ruby Rack library affecting versions 2.2.9 and earlier. Attackers can exploit it by sending numerous overlapping byte range requests, causing resource exhaustion.
You are affected if you are using Rack version 2.2.9 or earlier. Check your Rack version and upgrade if necessary.
Upgrade to Rack version 2.2.23 or later to resolve the vulnerability. Consider WAF rules or rate limiting as temporary mitigations.
As of the current assessment, CVE-2026-34826 is not known to be actively exploited, but the vulnerability's nature makes it easily exploitable.
Refer to the official Ruby Rack project website and security advisories for the latest information and updates regarding CVE-2026-34826.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.