{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-23T23:29:27Z",
  "bugzilla" : {
    "description" : "Rails: Active Support: Active Support: Denial of Service via large scientific notation strings",
    "id" : "2450551",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2450551"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.", "A flaw was found in Active Support, a toolkit of support libraries for Ruby on Rails. A remote attacker can exploit this vulnerability by providing specially crafted strings containing scientific notation (e.g., \"1e10000\") to number helpers. This input causes the `BigDecimal` component to expand into extremely large decimal representations, consuming excessive memory and CPU resources. This can lead to a Denial of Service (DoS) vulnerability, making the affected system unavailable." ],
  "statement" : "This flaw is rated as Moderate by Red Hat. Successful exploitation of this vulnerability requires an attacker to reach the vulnerable code path within the Active Support library as used by the hosting application. Because this functionality is not typically exposed directly to unauthenticated users, an attacker would generally need at least low-privileged (authenticated) access to the application to trigger the issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14874",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el8",
    "package" : "rubygem-activesupport-0:6.1.7.8-2.el8sat"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14874",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el8",
    "package" : "rubygem-activesupport-0:6.1.7.8-2.el8sat"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14874",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el9",
    "package" : "rubygem-activesupport-0:6.1.7.8-2.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14874",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el9",
    "package" : "rubygem-activesupport-0:6.1.7.8-2.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.17 for RHEL 9",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14873",
    "cpe" : "cpe:/a:redhat:satellite:6.17::el9",
    "package" : "rubygem-activesupport-0:7.0.8.7-2.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.17 for RHEL 9",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14873",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.17::el9",
    "package" : "rubygem-activesupport-0:7.0.8.7-2.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.18 for RHEL 9",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14835",
    "cpe" : "cpe:/a:redhat:satellite:6.18::el9",
    "package" : "rubygem-activesupport-0:7.0.8.7-2.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.18 for RHEL 9",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14835",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.18::el9",
    "package" : "rubygem-activesupport-0:7.0.8.7-2.el9sat"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "satellite:el8/rubygem-activesupport",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33176\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33176\nhttps://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb\nhttps://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a\nhttps://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856\nhttps://github.com/rails/rails/releases/tag/v7.2.3.1\nhttps://github.com/rails/rails/releases/tag/v8.0.4.1\nhttps://github.com/rails/rails/releases/tag/v8.1.2.1\nhttps://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9" ],
  "name" : "CVE-2026-33176",
  "mitigation" : {
    "value" : "To mitigate this issue, applications that use Active Support number helpers to process untrusted input should implement strict input validation. This involves sanitizing or restricting the format and length of numerical strings before they are passed to Active Support, thereby preventing the `BigDecimal` component from expanding into extremely large decimal representations and consuming excessive resources.",
    "lang" : "en:us"
  },
  "csaw" : false
}