Home / mailingsPDF  

[USN-8182-1] Rack vulnerabilities

Posted on 17 April 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8182-1
April 17, 2026

ruby-rack vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Rack.

Software Description:
- ruby-rack: modular Ruby webserver interface

Details:

Andrew Lacambra discovered that Rack did not properly parse certain regular
expressions. An attacker could possibly use this issue to bypass network
security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-26961)

William T. Nelson discovered that Rack did not handle multipart headers
correctly. An attacker could possibly use this issue to cause downstream
parsing issues or a denial of service. This issue only affected Ubuntu
25.10. (CVE-2026-26962)

It was discovered that Rack did not handle the Forwarded header correctly.
An attacker could possibly use this issue to manipulate header values. This
issue only affected Ubuntu 25.10. (CVE-2026-32762)

It was discovered that Rack could consume excessive CPU when handling
certain Accept-Encoding values. An attacker could possibly use this issue
to cause a denial of service. (CVE-2026-34230)

Haruki Oyama discovered that certain configurations of Rack could
erroneously fail to derive the displayed directory path, and expose the
full filesystem path. An attacker could possibly use this issue to disclose
deployment details such as layout and usernames. (CVE-2026-34763)

It was discovered that Rack did not properly handle static file paths. An
attacker could possibly use this issue to exfiltrate unintentionally served
data. (CVE-2026-34785)

Haruki Oyama discovered that Rack did not apply header rules to certain
requests for URL-encoded static paths. An attacker could possibly use this
issue to bypass security-relevant response headers. This issue only
affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04
LTS, and Ubuntu 25.10. (CVE-2026-34786)

It was discovered that Rack did not limit the number of ranges requested in
the Range header. An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04
LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu
25.10. (CVE-2026-34826)

It was discovered that Rack could consume excessive CPU when parsing
certain multipart parameters. An attacker could possibly use this to cause
a denial of service. This issue only affected Ubuntu 25.10.
(CVE-2026-34827)

It was discovered that Rack could consume unbounded disk space when
handling requests without a Content-Length header. An attacker could
possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu
25.10. (CVE-2026-34829)

Mehtab Zafar discovered that Rack directly interpreted the X-Accel-Mapping
header as a regular expression without escaping. An attacker could possibly
use this issue to exfiltrate arbitrary files from internal locations. This
issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34830)

It was discovered that Rack did not properly handle messages with Unicode.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu
25.10. (CVE-2026-34831)

It was discovered that Rack did not properly parse the Host header. An
attacker could possibly use this issue to bypass security filters or poison
generated links. This issue only affected Ubuntu 25.10. (CVE-2026-34835)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
ruby-rack 3.1.16-0.1ubuntu0.3

Ubuntu 24.04 LTS
ruby-rack 2.2.7-1ubuntu0.7

Ubuntu 22.04 LTS
ruby-rack 2.1.4-5ubuntu1.2+esm3
Available with Ubuntu Pro

Ubuntu 20.04 LTS
ruby-rack 2.0.7-2ubuntu0.1+esm10
Available with Ubuntu Pro

Ubuntu 18.04 LTS
ruby-rack 1.6.4-4ubuntu0.2+esm10
Available with Ubuntu Pro

Ubuntu 16.04 LTS
ruby-rack 1.6.4-3ubuntu0.2+esm10
Available with Ubuntu Pro

Ubuntu 14.04 LTS
librack-ruby 1.5.2-3+deb8u3ubuntu1~esm11
Available with Ubuntu Pro
librack-ruby1.8 1.5.2-3+deb8u3ubuntu1~esm11
Available with Ubuntu Pro
librack-ruby1.9.1 1.5.2-3+deb8u3ubuntu1~esm11
Available with Ubuntu Pro
ruby-rack 1.5.2-3+deb8u3ubuntu1~esm11
Available with Ubuntu Pro

After a standard system update you need to restart any applications using
Rack to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8182-1
CVE-2026-26961, CVE-2026-26962, CVE-2026-32762, CVE-2026-34230,
CVE-2026-34763, CVE-2026-34785, CVE-2026-34786, CVE-2026-34826,
CVE-2026-34827, CVE-2026-34829, CVE-2026-34830, CVE-2026-34831,
CVE-2026-34835

Package Information:
https://launchpad.net/ubuntu/+source/ruby-rack/3.1.16-0.1ubuntu0.3
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1ubuntu0.7

--===============1264532922621098577==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :