Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-12T21:40:19 mod_security: ModSecurity: Denial of Service via unsigned integer underflow in rule verification functions 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CWE-191

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.

A flaw was found in ModSecurity, an open-source web application firewall (WAF). This vulnerability occurs when an administrator configures a rule that uses `@verifySSN`, `@verifyCPF`, or `@verifySVNR` functions. An unhandled exception, specifically an unsigned integer underflow, can lead to a denial of service (DoS) condition, making the WAF unavailable.

To mitigate this issue, administrators should avoid configuring ModSecurity rules that utilize the `@verifySSN`, `@verifyCPF`, or `@verifySVNR` functions. Disabling or removing these specific rules will prevent the unsigned integer underflow that leads to a denial of service. After modifying ModSecurity configuration, a service reload or restart may be required for the changes to take effect. Red Hat Enterprise Linux 8 Fix deferred mod_security Red Hat Enterprise Linux 9 Fix deferred mod_security https://www.cve.org/CVERecord?id=CVE-2026-42268 https://nvd.nist.gov/vuln/detail/CVE-2026-42268 https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-vwr3-7x7g-7p9w