Cyber Resilience

CVE-2026-33306

Medium

Published: 24 March 2026

Published
24 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 4.5 CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 1.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33306 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Bcrypt-Ruby Project Bcrypt-Ruby. Its CVSS base score is 4.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-33306 is an integer overflow vulnerability (CWE-190) in the JRuby implementation of the bcrypt-ruby gem, a Ruby binding for the OpenBSD bcrypt password hashing algorithm. In versions prior to 3.1.22, the BCrypt.java code computes the key-strengthening round count as a signed 32-bit integer. When applications set the cost parameter to its maximum value of 31, this triggers a signed integer overflow, resulting in a negative round count and zero iterations in the strengthening loop. Consequently, bcrypt collapses from 2^31 rounds of exponential key strengthening to a constant-time computation, retaining only the initial EksBlowfish key setup and final 64x encryption phase. Affected hashes appear valid (e.g., starting with $2a$31$...) and pass verification via checkpw, rendering the flaw undetectable to applications.

Remote attackers can exploit this vulnerability with no privileges or user interaction required (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation occurs when verifying or generating hashes with cost=31, allowing attackers to crack passwords significantly faster due to the reduced computational cost. Any application using bcrypt-ruby on JRuby with cost=31 is vulnerable, enabling efficient brute-force or dictionary attacks against stored password hashes.

The bcrypt-ruby security advisory (GHSA-f27w-vcwj-c954), release notes for v3.1.22, and fixing commit (831ce64cb0a9502130fa93a28bfd9527a5fa45c4) confirm the issue is resolved in version 3.1.22. As a workaround, applications should set the cost to a value less than 31.

EU & UK References

Vulnerability details

bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt() password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the…

more

cost to 31 to see this happen. The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes the key-strengthening round count as a signed 32-bit integer. When `cost=31` (the maximum allowed by the gem), signed integer overflow causes the round count to become negative, and the strengthening loop executes **zero iterations**. This collapses bcrypt from 2^31 rounds of exponential key-strengthening to effectively constant-time computation — only the initial EksBlowfish key setup and final 64x encryption phase remain. The resulting hash looks valid (`$2a$31$...`) and verifies correctly via `checkpw`, making the weakness invisible to the application. This issue is triggered only when cost=31 is used or when verifying a `$2a$31$` hash. This problem has been fixed in version 3.1.22. As a workaround, set the cost to something less than 31.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.002 Password Cracking Credential Access
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
Why these techniques?

Integer overflow nullifies bcrypt cost=31 rounds, directly enabling efficient offline password cracking (brute-force/dictionary) against stored hashes.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40962Shared CWE-190
CVE-2025-0587Shared CWE-190
CVE-2026-4775Shared CWE-190
CVE-2025-30404Shared CWE-190
CVE-2025-53518Shared CWE-190
CVE-2026-33040Shared CWE-190
CVE-2026-24660Shared CWE-190
CVE-2026-31633Shared CWE-190
CVE-2026-37555Shared CWE-190
CVE-2024-55656Shared CWE-190

Affected Assets

bcrypt-ruby project
bcrypt-ruby
≤ 3.1.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and correction of flaws, directly requiring update of vulnerable bcrypt-ruby versions prior to 3.1.22 to eliminate the integer overflow in JRuby.

prevent

CM-6 requires establishment and enforcement of secure configuration settings, such as restricting bcrypt cost to less than 31 to prevent triggering the signed integer overflow.

detect

RA-5 implements vulnerability scanning to identify systems using vulnerable bcrypt-ruby versions with cost=31 configurations, enabling proactive mitigation.

References