CVE-2026-9256

8.1 HIGH

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module

Published: 2026-05-22 · Last updated: 2026-06-16

Severity and scoring

CVSS: 8.1 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-122

Affected products

Vendor	Product
f5	nginx_open_source, nginx_plus

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9256
[Vendor advisory]https://my.f5.com/manage/s/article/K000161377
[Other]http://www.openwall.com/lists/oss-security/2026/05/22/14

Related CVEs

Same vendor

CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
CVE-2026-8711 — NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (... (8.1 HIGH)
CVE-2026-42946 — A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an... (6.5 MEDIUM)
CVE-2009-3555 — The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in... (9.8 CRITICAL)

Same CWE

CVE-2026-47747 — stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inf... (7.8 HIGH)
CVE-2026-47964 — DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code ex... (7.8 HIGH)
CVE-2026-47749 — stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inf... (7.8 HIGH)
CVE-2026-8484 — A heap buffer overflow vulnerability exists in the Jansi JNI "ioctl()" wrapper due to a lack of size verification for the argument array ...
CVE-2026-52720 — A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client) (8.8 HIGH)