CVE-2026-34826

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6

Description The Rack::Utils.get byte ranges function parses the HTTP Range header without limiting the number of individual byte ranges. While a previous fix for CVE-2024-26141 prevents ranges exceeding the file size, it doesn't restrict the range count. An attacker can send numerous small, overlapping ranges (e.g., '0-0,0-0,0-0,...') to cause excessive CPU, memory, I/O, and bandwidth usage, leading to a denial of service in Rack file-serving paths processing multipart byte range responses. The function Rack::Utils.get byte ranges accepts a comma-separated list of byte ranges and validates them based on their aggregate size, but does not impose a limit on how many individual ranges may be supplied. The HTTP Range header is the vulnerable component.

Recommendations Update to Rack version 2.2.23 or later. Update to Rack version 3.1.21 or later. Update to Rack version 3.2.6 or later.