{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-34230", "tracking": { "current_release_date": "2026-04-03T15:34:58.733536Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-34230", "initial_release_date": "2026-04-02T17:28:27.411999Z", "revision_history": [ { "date": "2026-04-02T17:28:27.411999Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-04-02T17:28:29.558712Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-04-02T17:39:37.177211Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (3).| References created (1).| CWES updated (1)." }, { "date": "2026-04-02T17:39:38.862275Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-04-02T20:52:57.978394Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-04-02T20:53:02.103467Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-04-03T00:44:17.066008Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Products connected (2)." }, { "date": "2026-04-03T00:44:19.448037Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-04-03T06:46:01.165253Z", "number": "9", "summary": "Description created for source." }, { "date": "2026-04-03T15:31:48.918685Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-04-03T15:32:01.139036Z", "number": "11", "summary": "NCSC Score updated." } ], "status": "interim", "version": "11" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.2.23", "product": { "name": "vers:unknown/<2.2.23", "product_id": "CSAFPID-5985093" } }, { "category": "product_version_range", "name": "vers:unknown/>=3.0.0.beta1|<3.1.21", "product": { "name": "vers:unknown/>=3.0.0.beta1|<3.1.21", "product_id": "CSAFPID-5985094" } }, { "category": "product_version_range", "name": "vers:unknown/>=3.2.0|<3.2.6", "product": { "name": "vers:unknown/>=3.2.0|<3.2.6", "product_id": "CSAFPID-5985095" } } ], "category": "product_name", "name": "rack" } ], "category": "vendor", "name": "rack" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-2065710" } } ], "category": "product_name", "name": "ruby-rack" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-2065711" } } ], "category": "product_name", "name": "ruby-rack" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "Debian" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34230", "cwe": { "id": "CWE-407", "name": "Inefficient Algorithmic Complexity" }, "notes": [ { "category": "description", "text": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34230" }, { "category": "description", "text": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34230.json" }, { "category": "description", "text": "## Summary\n\n`Rack::Utils.select_best_encoding` processes `Accept-Encoding` values with quadratic time complexity when the header contains many wildcard (`*`) entries. Because this method is used by `Rack::Deflater` to choose a response encoding, an unauthenticated attacker can send a single request with a crafted `Accept-Encoding` header and cause disproportionate CPU consumption on the compression middleware path.\n\nThis results in a denial of service condition for applications using `Rack::Deflater`.\n\n## Details\n\n`Rack::Utils.select_best_encoding` expands parsed `Accept-Encoding` values into a list of candidate encodings. When an entry is `*`, the method computes the set of concrete encodings by subtracting the encodings already present in the request:\n\n```ruby\nif m == \"*\"\n (available_encodings - accept_encoding.map(&:first)).each do |m2|\n expanded_accept_encoding << [m2, q, preference]\n end\nelse\n expanded_accept_encoding << [m, q, preference]\nend\n```\n\nBecause `accept_encoding.map(&:first)` is evaluated inside the loop, it is recomputed for each wildcard entry. If the request contains `N` wildcard entries, this produces repeated scans over the full parsed header and causes quadratic behavior.\n\nAfter expansion, the method also performs additional work over `expanded_accept_encoding`, including per-entry deletion, which further increases the cost for large inputs.\n\n`Rack::Deflater` invokes this method for each request when the middleware is enabled:\n\n```ruby\nUtils.select_best_encoding(ENCODINGS, Utils.parse_encodings(accept_encoding))\n```\n\nAs a result, a client can trigger this expensive code path simply by sending a large `Accept-Encoding` header containing many repeated wildcard values.\n\nFor example, a request with an approximately 8 KB `Accept-Encoding` header containing about 1,000 `*;q=0.5` entries can cause roughly 170 ms of CPU time in a single request on the `Rack::Deflater` path, compared to a negligible baseline for a normal header.\n\nThis issue is distinct from CVE-2024-26146. That issue concerned regular expression denial of service during `Accept` header parsing, whereas this issue arises later during encoding selection after the header has already been parsed.\n\n## Impact\n\nAny Rack application using `Rack::Deflater` may be affected.\n\nAn unauthenticated attacker can send requests with crafted `Accept-Encoding` headers to trigger excessive CPU usage in the encoding selection logic. Repeated requests can consume worker time disproportionately and reduce application availability.\n\nThe attack does not require invalid HTTP syntax or large payload bodies. A single header-sized request is sufficient to reach the vulnerable code path.\n\n## Mitigation\n\n* Update to a patched version of Rack in which encoding selection does not repeatedly rescan the parsed header for wildcard entries.\n* Avoid enabling `Rack::Deflater` on untrusted traffic.\n* Apply request filtering or header size / format restrictions at the reverse proxy or application boundary to limit abusive `Accept-Encoding` values.", "title": "github - https://api.github.com/advisories/GHSA-v569-hp3g-36wr" }, { "category": "description", "text": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-34230" }, { "category": "other", "text": "0.00039", "title": "EPSS" }, { "category": "other", "text": "4.1", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5985093", "CSAFPID-5985094", "CSAFPID-5985095", "CSAFPID-2065710", "CSAFPID-2065711" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34230" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34230.json" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-v569-hp3g-36wr" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-34230" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34230" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-v569-hp3g-36wr" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-2065710", "CSAFPID-2065711", "CSAFPID-5985093", "CSAFPID-5985094", "CSAFPID-5985095" ] } ], "title": "CVE-2026-34230" } ] }