Moderate severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
Rails Active Support has a possible DoS vulnerability in its number helpers
CVE-2026-33176
Description
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which BigDecimal expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activesupportRubyGems | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 |
activesupportRubyGems | >= 8.0.0.beta1, < 8.0.4.1 | 8.0.4.1 |
activesupportRubyGems | < 7.2.3.1 | 7.2.3.1 |
Affected products
15- osv-coords14 versionspkg:apk/chainguard/cinc-auditorpkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/kube-logging-operator-fluentd-outputspkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/wolfi/cinc-auditorpkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/kube-logging-operator-fluentd-outputspkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.4-rails-8.0pkg:gem/activesupport
< 7.0.107-r1+ 13 more
- (no CPE)range: < 7.0.107-r1
- (no CPE)range: < 18.10.3-r1
- (no CPE)range: < 18.10.3-r0
- (no CPE)range: < 18.9.5-r0
- (no CPE)range: < 1.18.2-r60
- (no CPE)range: < 6.4.0-r9
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: < 7.0.107-r1
- (no CPE)range: < 1.18.2-r60
- (no CPE)range: < 6.4.0-r9
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: >= 8.1.0.beta1, < 8.1.2.1
- Range: >= 8.1.0.beta1, < 8.1.2.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-2j26-frm8-cmj9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33176ghsaADVISORY
- github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcbghsax_refsource_MISCWEB
- github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1aghsax_refsource_MISCWEB
- github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v7.2.3.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.0.4.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.1.2.1ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33176.ymlghsaWEB
News mentions
0No linked articles in our index yet.