CVE-2026-52761

NameCVE-2026-52761
DescriptionModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 through 3.0.15, the t:utf8toUnicode transformation in src/actions/transformations/utf8_to_unicode.cc produces wrong output on i386 architecture because snprintf uses sizeof on a char pointer rather than the length of the unicode buffer, allowing rules that use this transformation to be bypassed on i386 architecture. This issue is fixed in version 3.0.16.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1141961

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
modsecurity (PTS)bullseye3.0.4-2vulnerable
bookworm3.0.9-1+deb12u2vulnerable
trixie3.0.14-1+deb13u1vulnerable
forky, sid3.0.15-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
modsecuritysource(unstable)(unfixed)1141961

Notes

[trixie] - modsecurity <no-dsa> (Minor issue)
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qjgm-7gp4-f8qq
Fixed by: https://github.com/owasp-modsecurity/ModSecurity/commit/edcd010814e234d46e2ec55a0f1078ff9d3032e4 (v3.0.16)

Search for package or bug name: Reporting problems