CVE-2026-34827
Denial of Service in Rack Multipart Parser via CPU Exhaustion
Publication date: 2026-04-02
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rack | rack | From 3.0.0 (inc) to 3.1.21 (exc) |
| rack | rack | From 3.2.0 (inc) to 3.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-34827 is a denial of service vulnerability in the Rack RubyGem package affecting multipart header parsing in certain versions. The vulnerability exists in the method that parses quoted multipart parameters, which uses repeated string searches and destructive prefix deletions. This parsing approach causes super-linear CPU usage when handling escape-heavy quoted values with many backslash-escaped characters.
An unauthenticated attacker can exploit this by sending a specially crafted multipart/form-data request containing many parts with long, escape-heavy quoted values. This triggers excessive CPU consumption during parsing, leading to denial of service by tying up application workers and reducing service availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high CPU usage on Rack applications that accept multipart/form-data requests, especially during file uploads or form submissions.
Detection involves identifying crafted multipart/form-data requests containing many parts with long backslash-escaped quoted parameter values that cause excessive CPU consumption during parsing.
While no specific commands are provided in the resources, general approaches include using network traffic analysis tools (e.g., tcpdump, Wireshark) to capture multipart/form-data requests and system monitoring tools (e.g., top, htop) to observe CPU spikes.
Additionally, inspecting application logs for repeated multipart parsing errors or slow request processing times may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Rack RubyGem package to a patched version: either 3.1.21 or 3.2.6 or later.
These patched versions fix the multipart parameter parsing to avoid repeated rescanning and destructive prefix deletion, eliminating the super-linear CPU usage issue.
- Apply request throttling or rate limiting on multipart upload endpoints to reduce the risk of denial of service.
- Where feasible, restrict or isolate multipart parsing on untrusted or high-volume endpoints to limit exposure.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service condition in Rack applications that accept multipart form data, such as file upload endpoints or standard HTML form handlers.
- Excessive CPU usage during multipart parsing.
- Tying up application workers, which reduces throughput.
- Degradation or complete denial of service availability.