What is the CVSS score of CVE-2026-9256?

CVE-2026-9256 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of NGINX are affected by CVE-2026-9256?

NGINX web servers using rewrite rules contain a critical heap buffer overflow vulnerability (CVE-2026-9256, CVSS 8.1) allowing unauthenticated remote attacks that can crash services or execute code.. A patch is available.

NGINX CVE-2026-9256

EUVD-2026-31444 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-05-22 f5

GHSA-h78r-86c6-jgp4

Buffer Overflow Heap Overflow Nginx Red Hat Nginx Open Source Nginx Plus Suse

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 26, 2026 - 14:16 EUVD

Analysis Generated

May 22, 2026 - 14:45 vuln.today

DescriptionNVD

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers to crash worker processes and potentially achieve code execution via crafted HTTP requests targeting servers using rewrite directives with overlapping PCRE captures. The flaw affects a core HTTP module shipped in default builds, making widespread exposure plausible wherever vulnerable rewrite rules are configured, though exploitation requires specific configuration prerequisites and ASLR bypass for full RCE. …

RemediationAI

Within 24 hours: Identify all NGINX instances configured with rewrite directives to assess organizational exposure. Within 7 days: Disable ngx_http_rewrite_module where operationally feasible; implement Web Application Firewall rules to detect malicious rewrite requests; restrict HTTP access through network segmentation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory