CVE-2026-33176: Rails Active Support has a possible DoS vulnerability in its number helpers

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-33176

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Rails Active Support has a possible DoS vulnerability in its number helpers

Source: NVD (National Vulnerability Database)

Vulnerability Description

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

未加控制的资源消耗(资源穷尽)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Rails 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Rails是美国Rails团队的一套基于Ruby语言的开源Web应用框架。 Rails Active Support 8.1.2.1之前版本、8.0.4.1之前版本和7.2.3.1之前版本存在安全漏洞，该漏洞源于数字辅助函数接受包含科学计数法的字符串，可能导致内存和CPU消耗过大引发拒绝服务。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
rails	activesupport	>= 8.1.0.beta1, < 8.1.2.1	-

II. Public POCs for CVE-2026-33176

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-33176

Please Login to view more intelligence information

https://github.com/rails/rails/releases/tag/v8.1.2.1x_refsource_MISC
https://github.com/rails/rails/releases/tag/v8.0.4.1x_refsource_MISC
https://github.com/rails/rails/releases/tag/v7.2.3.1x_refsource_MISC
https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9x_refsource_CONFIRM
https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcbx_refsource_MISC
https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1ax_refsource_MISC
https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2026-33176

IV. Related Vulnerabilities

Same product: activesupport

Same vendor: rails

Same weakness: CWE-400

V. Comments for CVE-2026-33176

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2026-33176

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-33176

III. Intelligence Information for CVE-2026-33176

IV. Related Vulnerabilities

V. Comments for CVE-2026-33176

Leave a comment