CVE-2026-34826

NameCVE-2026-34826
DescriptionRack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack (PTS)bullseye2.1.4-3+deb11u2vulnerable
bullseye (security)2.1.4-3+deb11u5vulnerable
bookworm2.2.20-0+deb12u1vulnerable
bookworm (security)2.2.22-0+deb12u1vulnerable
trixie3.1.18-1~deb13u1vulnerable
trixie (security)3.1.20-0+deb13u1vulnerable
forky3.1.18-1vulnerable
sid3.2.5-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-racksourceexperimental3.2.6-1
ruby-racksource(unstable)(unfixed)

Notes

https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx
Fixed by: https://github.com/rack/rack/commit/9138756fb0bcfb500abbb0b8ed90bc24911ff6a3 (v3.2.6)
Fixed by: https://github.com/rack/rack/commit/345a4cfa51f451e58b2931322998e04f3cf6dc0d (v3.1.21)
Fixed by: https://github.com/rack/rack/commit/94a7ca91a750ced0e445f39fabbc8ee6d2ab3bf1 (v2.2.23)
Search for package or bug name: Reporting problems