CVE-2026-33176
Received Received - Intake
Denial of Service via BigDecimal in Active Support Number Helpers

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33176
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rubyonrails rails to 7.2.3.1 (exc)
rubyonrails rails From 8.0.0 (inc) to 8.0.4.1 (exc)
rubyonrails rails From 8.1.0 (inc) to 8.1.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33176 is a vulnerability in the Ruby on Rails framework\'s Active Support number helpers. The issue arises because these helpers accept strings containing scientific notation (such as "1e10000"). When such strings are converted using the BigDecimal class, they expand into extremely large decimal numbers. This expansion can cause excessive memory allocation and CPU consumption during formatting.'}, {'type': 'paragraph', 'content': 'This behavior can be exploited by an attacker to cause a denial-of-service (DoS) attack by providing specially crafted input strings with scientific notation, leading to resource exhaustion.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by modifying the number conversion process to reject strings containing scientific notation before attempting to convert them to BigDecimal. This prevents the processing of extremely large numeric values expressed in scientific notation.'}] [1, 2, 3, 4]

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial-of-service (DoS) condition in applications using vulnerable versions of Ruby on Rails Active Support number helpers.

By submitting input strings containing scientific notation, an attacker can trigger excessive memory allocation and CPU usage during number formatting, potentially making the application unresponsive or crashing it.

This can lead to service downtime, degraded performance, and a poor user experience, especially in environments where user input is not properly sanitized or validated.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves the processing of strings containing scientific notation by Active Support number helpers in Ruby on Rails, which can lead to excessive memory and CPU usage. Detection would involve identifying if your application is receiving or processing inputs with scientific notation strings (e.g., containing 'e' or 'E') that are passed to number conversion methods."}, {'type': 'paragraph', 'content': "Since the vulnerability is triggered by inputs containing scientific notation, you can monitor logs or input data for such patterns. For example, searching application logs for strings matching the regex pattern '[deDE]' or specifically scientific notation patterns like '\\d+e\\d+' could help detect attempts to exploit this issue."}, {'type': 'paragraph', 'content': 'There are no specific commands provided in the resources, but you can use commands like the following to search logs for suspicious inputs:'}, {'type': 'list_item', 'content': "grep -iE '\\b\\d+e\\d+\\b' /path/to/your/application/logs/*.log"}, {'type': 'list_item', 'content': "grep -iE '[de]' /path/to/your/application/logs/*.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring system resource usage (CPU and memory) spikes during request processing may indicate exploitation attempts.'}] [1, 2, 3, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade the Active Support component of Ruby on Rails to a patched version that contains the fix for this vulnerability.'}, {'type': 'list_item', 'content': 'Upgrade to Active Support versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later, which include the patch that rejects inputs containing scientific notation before converting them with BigDecimal.'}, {'type': 'paragraph', 'content': "The patch prevents processing of strings containing 'e' or 'd' characters (indicative of scientific notation) by skipping their conversion to BigDecimal, thus mitigating the risk of denial-of-service caused by excessive resource consumption."}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, consider implementing input validation or sanitization to reject or safely handle inputs containing scientific notation before they reach the vulnerable number conversion code.'}] [1, 2, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart