Bug 2450551 (CVE-2026-33176) - CVE-2026-33176 Rails: Active Support: Active Support: Denial of Service via large scientific notation strings
Summary: CVE-2026-33176 Rails: Active Support: Active Support: Denial of Service via l...
Keywords:
Status: NEW
Alias: CVE-2026-33176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-24 00:02 UTC by OSIDB Bzimport
Modified: 2026-05-07 17:56 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:14873 0 None None None 2026-05-07 17:26:33 UTC
Red Hat Product Errata RHSA-2026:14874 0 None None None 2026-05-07 17:56:08 UTC

Description OSIDB Bzimport 2026-03-24 00:02:34 UTC 
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Comment 2 errata-xmlrpc 2026-05-07 17:26:32 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.17 for RHEL 9

Via RHSA-2026:14873 https://access.redhat.com/errata/RHSA-2026:14873
Comment 3 errata-xmlrpc 2026-05-07 17:56:06 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2026:14874 https://access.redhat.com/errata/RHSA-2026:14874
Note You need to log in before you can comment on or make changes to this bug.