Memory Growth Vulnerability in Puma Web Server Affecting Multiple Versions
CVE-2026-47736

7.5HIGH

Key Information:

Vendor

Puma

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-47736?

Puma, the Ruby/Rack web server known for its architecture designed for concurrency, has a vulnerability that arises when PROXY protocol v1 support is enabled. Under certain conditions, this vulnerability allows an attacker to send continuous data without the necessary CRLF termination, leading to unbounded growth of an internal memory buffer. This can result in performance degradation and increased CPU usage due to the repeated scans of the growing buffer. Versions 7.2.1 and 8.0.2 have been updated to address this issue, ensuring better resource management during operations.

Affected Version(s)

puma >= 5.5.0, < 7.2.1 < 5.5.0, 7.2.1

puma >= 8.0.0, < 8.0.2 < 8.0.0, 8.0.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.