CVE-2026-33176
Published: 24 March 2026
Summary
CVE-2026-33176 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Rubyonrails Rails. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying vendor patches to vulnerable Active Support versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 directly remediates the DoS vulnerability from BigDecimal expansion.
Enforces resource allocation controls on memory and CPU to prevent excessive consumption triggered by processing large scientific notation strings.
Validates inputs to Active Support number helpers to reject or sanitize scientific notation strings that cause uncontrolled BigDecimal expansion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated network exploitation of public-facing Rails apps (T1190) via malicious numeric input, directly causing application-layer resource exhaustion/DoS (T1499.004).
NVD Description
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely…
more
large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Deeper analysisAI
CVE-2026-33176 is a denial-of-service vulnerability in Active Support, a toolkit of support libraries and Ruby core extensions extracted from the Ruby on Rails framework. In versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support's number helpers accept strings in scientific notation, such as "1e10000". When processed, the Ruby BigDecimal library expands these into extremely large decimal representations, leading to excessive memory allocation and CPU consumption during formatting.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity by unauthenticated attackers without user interaction. An attacker can supply a malicious scientific notation string to an affected number helper, triggering resource exhaustion that disrupts service availability through high memory and CPU usage.
Patches are available in Active Support versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, as detailed in Rails GitHub commits and release tags. Security practitioners should upgrade to these fixed versions to mitigate the issue, which is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
Details
- CWE(s)