DEBIAN-CVE-2026-34831

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-34831
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34831.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-34831
Upstream
  • CVE-2026-34831
Published
2026-04-02T17:16:26.420Z
Modified
2026-04-11T05:02:10.685132Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

References

Affected packages

Debian:11 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.1.4-3
2.1.4-3+deb11u1
2.1.4-3+deb11u2
2.1.4-3+deb11u3
2.1.4-3+deb11u4
2.1.4-3+deb11u5
2.1.4-4
2.1.4-5
2.2.3-1
2.2.3-2
2.2.3-3
2.2.3-4
2.2.4-1
2.2.4-2
2.2.4-3
2.2.6.4-1
2.2.7-1
2.2.7-1.1
2.2.13-1~deb12u1
3.*
3.0.0-1
3.0.8-1
3.0.8-2
3.0.8-3
3.0.8-4
3.1.9-1~exp1
3.1.9-2
3.1.12-1
3.1.12-2~exp1
3.1.16-0.1
3.1.18-1~deb13u1
3.1.18-1
3.2.4-1
3.2.5-1
3.2.5-2
3.2.6-1
3.2.6-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34831.json"

Debian:12 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.6.4-1
2.2.6.4-1+deb12u1
2.2.7-1
2.2.7-1.1
2.2.13-1~deb12u1
2.2.20-0+deb12u1
2.2.22-0+deb12u1
3.*
3.0.0-1
3.0.8-1
3.0.8-2
3.0.8-3
3.0.8-4
3.1.9-1~exp1
3.1.9-2
3.1.12-1
3.1.12-2~exp1
3.1.16-0.1
3.1.18-1~deb13u1
3.1.18-1
3.2.4-1
3.2.5-1
3.2.5-2
3.2.6-1
3.2.6-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34831.json"

Debian:13 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.1.16-0.1
3.1.18-1~deb13u1
3.1.18-1
3.1.20-0+deb13u1
3.2.4-1
3.2.5-1
3.2.5-2
3.2.6-1
3.2.6-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34831.json"

Debian:14 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.6-2

Affected versions

3.*
3.1.16-0.1
3.1.18-1~deb13u1
3.1.18-1
3.2.4-1
3.2.5-1
3.2.5-2
3.2.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34831.json"