CVE-2026-33176

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb	Patch
https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a	Patch
https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856	Patch
https://github.com/rails/rails/releases/tag/v7.2.3.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.0.4.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.1.2.1	Release Notes
https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::

History

24 Mar 2026, 17:55

Type	Values Removed	Values Added
Summary		(es) Active Support es un conjunto de herramientas de bibliotecas de soporte y extensiones del núcleo de Ruby extraídas del framework de Rails. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, los ayudantes de números de Active Support aceptan cadenas que contienen notación científica (p. ej. '1e10000'), que `BigDecimal` expande en representaciones decimales extremadamente grandes. Esto puede causar una asignación excesiva de memoria y consumo de CPU cuando el número expandido es formateado, posiblemente resultando en una vulnerabilidad de DoS. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb -~~	() https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb - Patch
References	~~() https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a -~~	() https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a - Patch
References	~~() https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856 -~~	() https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856 - Patch
References	~~() https://github.com/rails/rails/releases/tag/v7.2.3.1 -~~	() https://github.com/rails/rails/releases/tag/v7.2.3.1 - Release Notes
References	~~() https://github.com/rails/rails/releases/tag/v8.0.4.1 -~~	() https://github.com/rails/rails/releases/tag/v8.0.4.1 - Release Notes
References	~~() https://github.com/rails/rails/releases/tag/v8.1.2.1 -~~	() https://github.com/rails/rails/releases/tag/v8.1.2.1 - Release Notes
References	~~() https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9 -~~	() https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9 - Vendor Advisory
CPE		cpe:2.3:a:rubyonrails:rails::::::::
First Time		Rubyonrails Rubyonrails rails

24 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 00:16

Updated : 2026-03-24 17:55

NVD link : CVE-2026-33176

Mitre link : CVE-2026-33176

CVE.ORG link : CVE-2026-33176

JSON object : View

Products Affected

rubyonrails

rails

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10