CVE-2026-34230
Published: 02 April 2026
Summary
CVE-2026-34230 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Rack Rack. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific flaw in Rack::Utils.select_best_encoding by patching to fixed versions 2.2.23, 3.1.21, or 3.2.6, eliminating the quadratic CPU consumption vulnerability.
Implements denial-of-service protections tailored to block or limit crafted Accept-Encoding headers causing disproportionate CPU usage in Rack::Deflater.
Enforces resource allocation controls and monitoring to protect against CPU exhaustion from quadratic processing of wildcard-heavy Accept-Encoding headers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in Rack::Utils.select_best_encoding enables a single crafted Accept-Encoding header to trigger quadratic CPU exhaustion in Rack::Deflater, directly facilitating Endpoint Denial of Service via application exploitation (T1499.004).
NVD Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose…
more
a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Deeper analysisAI
CVE-2026-34230 affects Rack, a modular Ruby web server interface, in versions prior to 2.2.23, 3.1.21, and 3.2.6. The vulnerability resides in the Rack::Utils.select_best_encoding method, which processes Accept-Encoding HTTP header values with quadratic time complexity when the header includes many wildcard (*) entries. This flaw impacts applications using the Rack::Deflater middleware, as the method is invoked to select the optimal response encoding during compression.
An unauthenticated remote attacker can exploit this vulnerability by sending a single HTTP request with a crafted Accept-Encoding header containing numerous wildcard entries. The quadratic processing leads to disproportionate CPU consumption on the server-side compression path, enabling a denial-of-service condition that degrades application availability. The issue carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-407 (Algorithmic Complexity).
The vulnerability has been patched in Rack versions 2.2.23, 3.1.21, and 3.2.6. Security practitioners should upgrade affected applications to these fixed releases. Additional details on the advisory and patch are available at https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr.
Details
- CWE(s)