Skip to main content

ModSecurity CVE-2026-30923

| EUVDEUVD-2026-27422 HIGH
Out-of-bounds Read (CWE-125)
2026-05-05 GitHub_M
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 05, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 05, 2026 - 19:31 vuln.today
Analysis Generated
May 05, 2026 - 19:31 vuln.today
CVSS changed
May 05, 2026 - 19:22 NVD
8.2 (HIGH)

DescriptionGitHub Advisory

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15.

AnalysisAI

Worker process crashes occur in ModSecurity (libmodsecurity3) when processing query string parameters containing single characters through the t:hexDecode transformation function. Remote unauthenticated attackers can trigger repeated segmentation faults to disrupt web application firewall protection, though service automatically recovers once the attack ceases. All libmodsecurity3 versions before 3.0.15 are affected across Apache, IIS, and Nginx deployments. OWASP confirmed the vulnerability via GitHub security advisory GHSA-qrjc-3jpc-3h2g and released patch version 3.0.15 addressing this buffer overflow (CWE-125: Out-of-bounds Read).

Technical ContextAI

ModSecurity v3 uses libmodsecurity3 as its core WAF engine, implementing transformation functions that normalize input data before rule evaluation. The t:hexDecode transformation converts hexadecimal-encoded strings to their ASCII equivalents, commonly used to detect obfuscated attack payloads. The vulnerability stems from CWE-125 (Out-of-bounds Read) in hex_decode.cc, where processing a single-character query string parameter triggers an unsigned integer underflow or improper bounds check. When the transformation attempts to read beyond allocated memory, the process encounters a segmentation fault. This affects all web server integrations (Apache, IIS, Nginx) since the flaw exists in the shared libmodsecurity3 library. The CPE identifier cpe:2.3:a:owasp-modsecurity:modsecurity confirms OWASP as the maintaining organization. GitHub release notes indicate this was one of multiple buffer overflow issues (CVE-2026-30923, CVE-2026-42268, plus three additional buffer overflows in multipart processing, ACMP pattern matching, and SecLang scanner) addressed in the 3.0.15 security release.

RemediationAI

Upgrade libmodsecurity3 to version 3.0.15 or later, released by OWASP on GitHub at https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.15. The patch fixes the buffer overflow in hex_decode.cc along with multiple other security issues including CVE-2026-42268 (unsigned integer underflow in verify operators), buffer overflows in multipart body processing, heap buffer overflow in ACMP pattern matching, nullptr dereference in SecLang scanner, and undefined behavior in ip_tree. For organizations unable to immediately upgrade, implement compensating controls with awareness of their limitations: disable or comment out ModSecurity rules that apply the t:hexDecode transformation to query string parameters (search ruleset files for 'ARGS' scope with 't:hexDecode'), which eliminates the vulnerable code path but reduces detection coverage for hex-encoded attacks. Alternatively, deploy rate limiting or connection throttling at the web server or load balancer layer to mitigate repeated crash attempts, though this does not prevent the segfault itself and may impact legitimate traffic during attacks. Monitor web server error logs for segmentation fault patterns indicating exploitation attempts. Note that version 3.0.15 also updates dependencies to mbedTLS 4.1.0 and libinjection 4.0.0, so verify compatibility with existing integrations before deploying to production.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-30923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy