CVE-2026-34827
Received Received - Intake
Denial of Service in Rack Multipart Parser via CPU Exhaustion

Publication date: 2026-04-02

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34827
EUVD
EUVD-2026-18474
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rack rack From 3.0.0 (inc) to 3.1.21 (exc)
rack rack From 3.2.0 (inc) to 3.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause a denial of service condition in Rack applications that accept multipart form data, such as file upload endpoints or standard HTML form handlers.

  • Excessive CPU usage during multipart parsing.
  • Tying up application workers, which reduces throughput.
  • Degradation or complete denial of service availability.
Executive Summary

CVE-2026-34827 is a denial of service vulnerability in the Rack RubyGem package affecting multipart header parsing in certain versions. The vulnerability exists in the method that parses quoted multipart parameters, which uses repeated string searches and destructive prefix deletions. This parsing approach causes super-linear CPU usage when handling escape-heavy quoted values with many backslash-escaped characters.

An unauthenticated attacker can exploit this by sending a specially crafted multipart/form-data request containing many parts with long, escape-heavy quoted values. This triggers excessive CPU consumption during parsing, leading to denial of service by tying up application workers and reducing service availability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage on Rack applications that accept multipart/form-data requests, especially during file uploads or form submissions.

Detection involves identifying crafted multipart/form-data requests containing many parts with long backslash-escaped quoted parameter values that cause excessive CPU consumption during parsing.

While no specific commands are provided in the resources, general approaches include using network traffic analysis tools (e.g., tcpdump, Wireshark) to capture multipart/form-data requests and system monitoring tools (e.g., top, htop) to observe CPU spikes.

Additionally, inspecting application logs for repeated multipart parsing errors or slow request processing times may help identify exploitation attempts.

Mitigation Strategies

The primary mitigation step is to update the Rack RubyGem package to a patched version: either 3.1.21 or 3.2.6 or later.

These patched versions fix the multipart parameter parsing to avoid repeated rescanning and destructive prefix deletion, eliminating the super-linear CPU usage issue.

  • Apply request throttling or rate limiting on multipart upload endpoints to reduce the risk of denial of service.
  • Where feasible, restrict or isolate multipart parsing on untrusted or high-volume endpoints to limit exposure.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34827. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart