CVE-2026-9256

NameCVE-2026-9256
DescriptionNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6326-1
Debian Bugs1137339

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)bullseye1.18.0-6.1+deb11u3vulnerable
bullseye (security)1.18.0-6.1+deb11u6vulnerable
bookworm1.22.1-9+deb12u6vulnerable
bookworm (security)1.22.1-9+deb12u8fixed
trixie1.26.3-3+deb13u4vulnerable
trixie (security)1.26.3-3+deb13u6fixed
forky, sid1.30.1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nginxsourcebookworm1.22.1-9+deb12u8DSA-6326-1
nginxsourcetrixie1.26.3-3+deb13u6DSA-6326-1
nginxsource(unstable)1.30.1-31137339

Notes

https://my.f5.com/manage/s/article/K000161377
Fixed by: https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068 (release-1.30.2)
Search for package or bug name: Reporting problems