CVE-2026-33174
Published: 24 March 2026
Summary
CVE-2026-33174 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Rubyonrails Rails. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through patching Active Storage to versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 directly eliminates the memory exhaustion vulnerability from unbounded Range headers.
Validating HTTP Range headers for safe, bounded byte ranges prevents the proxy controller from loading entire files into memory.
Denial-of-service protections like rate limiting, traffic validation, and resource quotas mitigate exploitation via repeated malicious Range header requests causing memory exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation of public-facing Rails Active Storage proxy endpoint via malicious Range header to trigger memory exhaustion DoS, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1499.004 (Application or System Exploitation) for the resulting endpoint denial of service.
NVD Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory…
more
before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Deeper analysisAI
CVE-2026-33174 is a denial-of-service vulnerability in Active Storage, a component of Ruby on Rails applications that enables attaching cloud and local files. In versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1, when files are served through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before transmission. A specially crafted HTTP request with a large or unbounded Range header, such as "bytes=0-", triggers allocation of memory proportional to the file size, potentially exhausting server resources.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable remotely over the network with low complexity, no authentication or user interaction required. Any unauthenticated attacker who can reach the Rails application's file-serving endpoint in proxy mode can send repeated or concurrent requests with malicious Range headers, causing progressive memory exhaustion and disrupting service availability. The impact is limited to availability, with no confidentiality or integrity effects.
Patches addressing this issue are available in Rails Active Storage versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, as detailed in the corresponding GitHub release tags and commit histories. Security practitioners should upgrade affected applications to these versions to mitigate the risk, and review configurations to ensure proxy delivery mode is not unnecessarily exposed.
Details
- CWE(s)