CVE-2026-33306
Published: 24 March 2026
Summary
CVE-2026-33306 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Bcrypt-Ruby Project Bcrypt-Ruby. Its CVSS base score is 4.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-33306 is an integer overflow vulnerability (CWE-190) in the JRuby implementation of the bcrypt-ruby gem, a Ruby binding for the OpenBSD bcrypt password hashing algorithm. In versions prior to 3.1.22, the BCrypt.java code computes the key-strengthening round count as a signed 32-bit integer. When applications set the cost parameter to its maximum value of 31, this triggers a signed integer overflow, resulting in a negative round count and zero iterations in the strengthening loop. Consequently, bcrypt collapses from 2^31 rounds of exponential key strengthening to a constant-time computation, retaining only the initial EksBlowfish key setup and final 64x encryption phase. Affected hashes appear valid (e.g., starting with $2a$31$...) and pass verification via checkpw, rendering the flaw undetectable to applications.
Remote attackers can exploit this vulnerability with no privileges or user interaction required (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation occurs when verifying or generating hashes with cost=31, allowing attackers to crack passwords significantly faster due to the reduced computational cost. Any application using bcrypt-ruby on JRuby with cost=31 is vulnerable, enabling efficient brute-force or dictionary attacks against stored password hashes.
The bcrypt-ruby security advisory (GHSA-f27w-vcwj-c954), release notes for v3.1.22, and fixing commit (831ce64cb0a9502130fa93a28bfd9527a5fa45c4) confirm the issue is resolved in version 3.1.22. As a workaround, applications should set the cost to a value less than 31.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14670
Vulnerability details
bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt() password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the…
more
cost to 31 to see this happen. The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes the key-strengthening round count as a signed 32-bit integer. When `cost=31` (the maximum allowed by the gem), signed integer overflow causes the round count to become negative, and the strengthening loop executes **zero iterations**. This collapses bcrypt from 2^31 rounds of exponential key-strengthening to effectively constant-time computation — only the initial EksBlowfish key setup and final 64x encryption phase remain. The resulting hash looks valid (`$2a$31$...`) and verifies correctly via `checkpw`, making the weakness invisible to the application. This issue is triggered only when cost=31 is used or when verifying a `$2a$31$` hash. This problem has been fixed in version 3.1.22. As a workaround, set the cost to something less than 31.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow nullifies bcrypt cost=31 rounds, directly enabling efficient offline password cracking (brute-force/dictionary) against stored hashes.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, reporting, and correction of flaws, directly requiring update of vulnerable bcrypt-ruby versions prior to 3.1.22 to eliminate the integer overflow in JRuby.
CM-6 requires establishment and enforcement of secure configuration settings, such as restricting bcrypt cost to less than 31 to prevent triggering the signed integer overflow.
RA-5 implements vulnerability scanning to identify systems using vulnerable bcrypt-ruby versions with cost=31 configurations, enabling proactive mitigation.