{ "threat_severity" : "Important", "public_date" : "2026-05-22T14:11:41Z", "bugzilla" : { "description" : "nginx: ngx_http_rewrite_module: code execution and denial of service", "id" : "2480746", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2480746" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-122", "details" : [ "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "A flaw was found in the ngx_http_rewrite_module module of NGINX. When a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures and a replacement string that references multiple such captures in a redirect or arguments context, an unauthenticated attacker can send crafted HTTP requests and cause a heap-based buffer overflow in the worker process, potentially allowing code execution or a denial of service by forcing the process to restart." ], "statement" : "To exploit this vulnerability, a rewrite directive must be configured with a regex pattern that uses distinct, overlapping PCRE captures and a replacement string referencing multiple such captures, limiting its exposure as this is not the default configuration. This issue allows an attacker to potentially execute arbitrary code or cause a denial of service by forcing the worker process to restart.\nDefault Red Hat Enterprise Linux security features, including SELinux enforcement, Address Space Layout Randomization (ASLR) and NX (No-Execute) stack protection, significantly increase the difficulty of achieving arbitrary code execution, limiting the impact of this vulnerability.\nDue to these reasons, this flaw has been rated with an important severity.", "affected_release" : [ { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-05-23T00:00:00Z", "advisory" : "RHSA-2026:20351", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nginx-main-1.30.2-1.hum1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "nginx", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "nginx:1.24/nginx", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "nginx", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "nginx:1.24/nginx", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "nginx:1.26/nginx", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Lightspeed proxy 1", "fix_state" : "Affected", "package_name" : "insights-proxy/insights-proxy-container-rhel9", "cpe" : "cpe:/a:redhat:insights_proxy:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-9256\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-9256\nhttps://my.f5.com/manage/s/article/K000161377" ], "name" : "CVE-2026-9256", "mitigation" : { "value" : "To mitigate this vulnerability, use named captures instead of unnamed captures in rewrite definitions.\nFor example, the following rewrite directive uses unnamed PCRE capture groups, $1 and $2:\n~~~\nrewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;\n~~~\nTo mitigate this vulnerability for this example, replace $1 and $2 with the appropriate named captures, $user_id and $section:\n~~~\nrewrite ^/users/(?[0-9]+)/profile/(?
.*)$ /profile.php?id=$user_id&tab=$section last;\n~~~", "lang" : "en:us" }, "csaw" : false }