Description
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch immediately
AI Analysis

Impact

Object number helpers within Ruby on Rails ActiveSupport can process strings formatted in scientific notation such as `1e10000`. Prior to the fix, the BigDecimal library expands these values into extremely large decimal representations, leading the formatter to allocate extravagant amounts of memory and perform costly computations. An attacker who can provide such oversized numeric input to the application can trigger these resource consumption spikes and cause a denial of service.

Affected Systems

The vulnerability afflicts the ActiveSupport component of the Ruby on Rails framework in the versions preceding 8.1.2.1, 8.0.4.1, and 7.2.3.1. Any Rails application using an older release or embedding a vulnerable ActiveSupport library is potentially exposed.

Risk and Exploitability

The CVSS v3.1 base score is 6.6, indicating a medium-high severity. The EPSS probability is less than 1 %, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is exploitation through input that includes large scientific notation numbers; the explosion of memory usage can be triggered by legitimate application traffic, making a front‑end denial of service possible once the formatter is invoked.

Generated by OpenCVE AI on March 24, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rails to version 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later, which contains the patch for this issue.
  • If an upgrade is not immediately feasible, validate or reject input strings that resemble very large scientific notation before they reach the number formatter.
  • Monitor application resource consumption for abnormal spikes in memory or CPU usage, which may indicate abuse of the vulnerable paths.

Generated by OpenCVE AI on March 24, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2j26-frm8-cmj9 Rails Active Support has a possible DoS vulnerability in its number helpers
History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails rails
CPEs cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Vendors & Products Rubyonrails
Rubyonrails rails
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rails
Rails activesupport
Vendors & Products Rails
Rails activesupport

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Title Rails Active Support has a possible DoS vulnerability in its number helpers
Weaknesses CWE-400
CWE-770
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Rails Activesupport
Rubyonrails Rails
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:42:48.858Z

Reserved: 2026-03-17T22:16:36.719Z

Link: CVE-2026-33176

cve-icon Vulnrichment

Updated: 2026-03-24T18:42:45.999Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T00:16:28.807

Modified: 2026-03-24T17:55:27.437

Link: CVE-2026-33176

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T23:29:27Z

Links: CVE-2026-33176 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:00Z

Weaknesses