VDB

CVE-2026-33176

CVE-2026-33176 PUBLISHED CVSS 6.599999904632568 MEDIUM

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

EPSS 0.03% · 9.7th percentile

Risk Scores

CVSS v4.0
6.599999904632568
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
EPSS Score
0.03%
9.7th percentile

Affected Products

VendorProductVersions
railsactivestorage>= 8.0.0.beta1, < 8.0.4.1, *, < 7.2.3.1
RubyGemsactivesupport8.1.0.beta1, 8.0.0.beta1, 0
rubyonrailsrails0, 8.0.0, 8.1.0
railsactivesupport>= 8.1.0.beta1, < 8.1.2.1, *, < 7.2.3.1

Timeline

  • Mar 23, 2026 CVE Published
  • Mar 24, 2026 EPSS Score
  • Mar 24, 2026 PoC Published
  • Mar 24, 2026 Security Advisory
  • Mar 24, 2026 CVE Updated
  • Mar 25, 2026 EPSS Score
  • Mar 25, 2026 Coalition ESS Score
  • May 7, 2026 Distribution Patch
  • May 7, 2026 Security Advisory
  • May 8, 2026 Distribution Patch
  • May 8, 2026 Security Advisory
  • May 8, 2026 Distribution Patch

References

…and 3 more

Open in Interactive Console →
$ Console Community · 100/wk Open console ›