Denial of Service Vulnerability in Rack by Ruby
CVE-2026-34826

5.3MEDIUM

Key Information:

Vendor: Rack
Status: Rack
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-34826?

The Rack library, a modular interface for Ruby web servers, can be exploited due to insufficient limitations on the number of byte ranges processed by the HTTP Range header. This vulnerability allows attackers to send numerous small overlapping byte range requests, which can exhaust system resources such as CPU, memory, I/O and bandwidth, leading to service disruption. The affected versions include Rack 2.2.22 and earlier, Rack 3.1.20 and earlier, and Rack 3.2.5 and earlier. It is essential for users to update to the patched versions (2.2.23, 3.1.21, 3.2.6) to mitigate this issue and ensure web application reliability.

Affected Version(s)

rack < 2.2.23 < 2.2.23

rack >= 3.0.0.beta1, < 3.1.21 < 3.0.0.beta1, 3.1.21

rack >= 3.2.0, < 3.2.6 < 3.2.0, 3.2.6

References

https://github.com/rack/rack/security/advisories/GHSA-x8c...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34826 Data

JSON