Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-22T14:11:41 nginx: ngx_http_rewrite_module: code execution and denial of service 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CWE-122

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

A flaw was found in the ngx_http_rewrite_module module of NGINX. When a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures and a replacement string that references multiple such captures in a redirect or arguments context, an unauthenticated attacker can send crafted HTTP requests and cause a heap-based buffer overflow in the worker process, potentially allowing code execution or a denial of service by forcing the process to restart.

To exploit this vulnerability, a rewrite directive must be configured with a regex pattern that uses distinct, overlapping PCRE captures and a replacement string referencing multiple such captures, limiting its exposure as this is not the default configuration. This issue allows an attacker to potentially execute arbitrary code or cause a denial of service by forcing the worker process to restart. Default Red Hat Enterprise Linux security features, including SELinux enforcement, Address Space Layout Randomization (ASLR) and NX (No-Execute) stack protection, significantly increase the difficulty of achieving arbitrary code execution, limiting the impact of this vulnerability. Due to these reasons, this flaw has been rated with an important severity. To mitigate this vulnerability, use named captures instead of unnamed captures in rewrite definitions. For example, the following rewrite directive uses unnamed PCRE capture groups, $1 and $2: ~~~ rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last; ~~~ To mitigate this vulnerability for this example, replace $1 and $2 with the appropriate named captures, $user_id and $section: ~~~ rewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ /profile.php?id=$user_id&tab=$section last; ~~~ Red Hat Hardened Images 2026-05-23T00:00:00Z RHSA-2026:20351 nginx-main-1.30.2-1.hum1 Red Hat Enterprise Linux 10 Affected nginx Red Hat Enterprise Linux 8 Affected nginx:1.24/nginx Red Hat Enterprise Linux 9 Affected nginx Red Hat Enterprise Linux 9 Affected nginx:1.24/nginx Red Hat Enterprise Linux 9 Affected nginx:1.26/nginx Red Hat Lightspeed proxy 1 Affected insights-proxy/insights-proxy-container-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-9256 https://nvd.nist.gov/vuln/detail/CVE-2026-9256 https://my.f5.com/manage/s/article/K000161377