CVE-2026-34826
Published: 02 April 2026
Summary
CVE-2026-34826 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Rack Rack. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the flaw in Rack::Utils.get_byte_ranges through patching to versions 2.2.23, 3.1.21, or 3.2.6.
Implements denial-of-service protections at web server entry points to counter resource exhaustion from excessive HTTP Range header byte ranges.
Requires validation of HTTP Range header inputs to limit the number of byte ranges and prevent disproportionate CPU, memory, I/O, and bandwidth consumption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in HTTP Range header parsing enables remote resource exhaustion leading to application DoS via exploitation of software weakness.
NVD Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte…
more
coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Deeper analysisAI
CVE-2026-34826 is a vulnerability in Rack, a modular Ruby web server interface, affecting versions prior to 2.2.23, 3.1.21, and 3.2.6. The issue resides in the Rack::Utils.get_byte_ranges function, which parses the HTTP Range header without imposing limits on the number of individual byte ranges requested. Although a prior fix for CVE-2024-26141 prevented ranges whose total coverage exceeded the file size, it did not cap the quantity of ranges, enabling resource exhaustion attacks.
Attackers can exploit this remotely without authentication by crafting HTTP requests to Rack file-serving paths that process multipart byte range responses. By supplying numerous small, overlapping ranges—such as repeated "0-0" entries—an attacker triggers excessive CPU, memory, I/O, and bandwidth usage per request, culminating in a denial-of-service condition. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
The Rack project has patched this issue in versions 2.2.23, 3.1.21, and 3.2.6. Security practitioners should upgrade affected deployments immediately. Additional details are available in the GitHub security advisory at https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx.
Details
- CWE(s)