Skip to main content

NGINX EUVDEUVD-2026-31444

| CVE-2026-9256 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-05-22 f5 GHSA-h78r-86c6-jgp4
9.2
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable HTTP request with no auth or interaction, but AC:H because exploitation requires a non-default vulnerable rewrite configuration and ASLR-bypass for code execution; full CIA impact on the worker.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 16, 2026 - 20:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 16, 2026 - 20:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 16, 2026 - 20:07 vuln.today
cvss_changed
Severity Changed
Jun 16, 2026 - 20:07 NVD
HIGH CRITICAL
CVSS changed
Jun 16, 2026 - 20:07 NVD
8.1 (HIGH) 9.2 (CRITICAL)
Patch available
May 26, 2026 - 14:16 EUVD
Analysis Generated
May 22, 2026 - 14:45 vuln.today

DescriptionCVE.org

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV.

Technical ContextAI

NGINX's ngx_http_rewrite_module compiles PCRE patterns from rewrite directives and performs variable substitution against captured groups. CWE-122 (Heap-based Buffer Overflow) applies here: when a configuration uses distinct yet overlapping captures and the replacement string concatenates multiple capture references in a redirect/args context, NGINX miscomputes the destination buffer size and writes beyond the heap allocation in the worker process. CPE strings (cpe:2.3:a:f5:nginx_plus and cpe:2.3:a:f5:nginx_open_source) confirm both the commercial F5 distribution and the upstream open-source web server/reverse-proxy are affected across multiple branches.

RemediationAI

Vendor-released patches available: upgrade NGINX Open Source to 1.30.2 or 1.31.1 (or newer), NGINX Plus to R32 P7, R36 P5, or 37.0.1.1 per F5 advisory https://my.f5.com/manage/s/article/K000161377; Ubuntu users should apply USN-8354-1 (https://ubuntu.com/security/notices/USN-8354-1). If patching must be deferred, audit nginx.conf and included files for rewrite directives that combine PCRE patterns containing overlapping captures (e.g., ^/((.*))$) with replacement strings referencing multiple captures (e.g., $1$2) inside redirect or args contexts, and rewrite them to use a single non-overlapping capture group - this fully removes the trigger but may require URL-handling logic changes. As an interim control, place a WAF rule in front of NGINX to block requests targeting the specific URI paths handled by vulnerable rewrite rules; ensure ASLR remains enabled on the host to keep impact bounded to worker restart rather than code execution, accepting that repeated crashes still degrade availability.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2024-39792 HIGH
8.7 Aug 14

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

CVE-2024-24989 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

EUVD-2026-31444 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy