[USN-8182-1] Rack vulnerabilities

========================================================================== Ubuntu Security Notice USN-8182-1 April 17, 2026 ruby-rack vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Rack. Software Description: - ruby-rack: modular Ruby webserver interface Details: Andrew Lacambra discovered that Rack did not properly parse certain regular expressions. An attacker could possibly use this issue to bypass network security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-26961) William T. Nelson discovered that Rack did not handle multipart headers correctly. An attacker could possibly use this issue to cause downstream parsing issues or a denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-26962) It was discovered that Rack did not handle the Forwarded header correctly. An attacker could possibly use this issue to manipulate header values. This issue only affected Ubuntu 25.10. (CVE-2026-32762) It was discovered that Rack could consume excessive CPU when handling certain Accept-Encoding values. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-34230) Haruki Oyama discovered that certain configurations of Rack could erroneously fail to derive the displayed directory path, and expose the full filesystem path. An attacker could possibly use this issue to disclose deployment details such as layout and usernames. (CVE-2026-34763) It was discovered that Rack did not properly handle static file paths. An attacker could possibly use this issue to exfiltrate unintentionally served data. (CVE-2026-34785) Haruki Oyama discovered that Rack did not apply header rules to certain requests for URL-encoded static paths. An attacker could possibly use this issue to bypass security-relevant response headers. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34786) It was discovered that Rack did not limit the number of ranges requested in the Range header. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34826) It was discovered that Rack could consume excessive CPU when parsing certain multipart parameters. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-34827) It was discovered that Rack could consume unbounded disk space when handling requests without a Content-Length header. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34829) Mehtab Zafar discovered that Rack directly interpreted the X-Accel-Mapping header as a regular expression without escaping. An attacker could possibly use this issue to exfiltrate arbitrary files from internal locations. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34830) It was discovered that Rack did not properly handle messages with Unicode. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34831) It was discovered that Rack did not properly parse the Host header. An attacker could possibly use this issue to bypass security filters or poison generated links. This issue only affected Ubuntu 25.10. (CVE-2026-34835) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 ruby-rack 3.1.16-0.1ubuntu0.3 Ubuntu 24.04 LTS ruby-rack 2.2.7-1ubuntu0.7 Ubuntu 22.04 LTS ruby-rack 2.1.4-5ubuntu1.2+esm3 Available with Ubuntu Pro Ubuntu 20.04 LTS ruby-rack 2.0.7-2ubuntu0.1+esm10 Available with Ubuntu Pro Ubuntu 18.04 LTS ruby-rack 1.6.4-4ubuntu0.2+esm10 Available with Ubuntu Pro Ubuntu 16.04 LTS ruby-rack 1.6.4-3ubuntu0.2+esm10 Available with Ubuntu Pro Ubuntu 14.04 LTS librack-ruby 1.5.2-3+deb8u3ubuntu1~esm11 Available with Ubuntu Pro librack-ruby1.8 1.5.2-3+deb8u3ubuntu1~esm11 Available with Ubuntu Pro librack-ruby1.9.1 1.5.2-3+deb8u3ubuntu1~esm11 Available with Ubuntu Pro ruby-rack 1.5.2-3+deb8u3ubuntu1~esm11 Available with Ubuntu Pro After a standard system update you need to restart any applications using Rack to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-26961, CVE-2026-26962, CVE-2026-32762, CVE-2026-34230, CVE-2026-34763, CVE-2026-34785, CVE-2026-34786, CVE-2026-34826, CVE-2026-34827, CVE-2026-34829, CVE-2026-34830, CVE-2026-34831, CVE-2026-34835 Package Information: https://launchpad.net/ubuntu/+source/ruby-rack/3.1.16-0.1ubuntu0.3 https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1ubuntu0.7