<Vulnerability name="CVE-2026-47736">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-14T19:54:26</PublicDate>
    <Bugzilla id="2500583" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500583" xml:lang="en:us">
puma: Puma: Denial of Service due to unbounded memory growth in PROXY protocol v1
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-770</CWE>
    <Details xml:lang="en:us" source="Mitre">
Puma is a Ruby/Rack web server built for parallelism. From 5.5.0 until 7.2.1 and 8.0.2, when PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer while waiting for CRLF to determine whether a PROXY v1 line is present, allowing an attacker that continuously sends bytes without CRLF to cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer. This issue is fixed in versions 7.2.1 and 8.0.2.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Puma, a Ruby/Rack web server. When PROXY protocol v1 support is enabled, a remote attacker can continuously send data without proper termination. This causes the server to consume an increasing amount of memory and CPU resources, leading to a Denial of Service (DoS) where the server becomes unresponsive or crashes.
    </Details>
    <Statement xml:lang="en:us">
This issue only affects Puma deployments that explicitly enable the non-default proxy_protocol: :v1 remote-address configuration (set_remote_address proxy_protocol: :v1). An unauthenticated network attacker able to open a TCP connection to such a listener can send bytes without a terminating CRLF, causing unbounded growth of an internal pre-parse buffer and a potential denial of service. Deployments that do not enable this configuration are not affected by this specific issue.
    </Statement>
    <Mitigation xml:lang="en:us">
Upgrade to Puma 7.2.1 (7.x branch) or 8.0.2 (8.x branch), whichever applies to the deployed release line. If an immediate upgrade is not possible, remove or comment out the set_remote_address proxy_protocol: :v1 configuration directive if it is not required, or restrict direct network access to the affected Puma listener to trusted load balancers or reverse proxies only.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp21/backend</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp21/zync</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp22/backend</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp22/zync</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp2/backend-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp2/zync-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp2/zync-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pcs</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pcs</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pcs</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rubygem-puma</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>satellite:el8/rubygem-puma</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-47736
https://nvd.nist.gov/vuln/detail/CVE-2026-47736
https://github.com/puma/puma/commit/439c6136d9c2275721b7864db3ee78af7c80889f
https://github.com/puma/puma/commit/ebe9db3929ab8299d19c8f5b41e8ef4f4b22fa58
https://github.com/puma/puma/releases/tag/v7.2.1
https://github.com/puma/puma/releases/tag/v8.0.2
https://github.com/puma/puma/security/advisories/GHSA-qpgp-93vx-g8v8
    </References>
</Vulnerability>