Home

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

PUBLISHED Reserved 2026-05-21 | Published 2026-05-22 | Updated 2026-05-28 | Assigner f5




HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.2CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-122 Heap-based Buffer Overflow

Product status

Default status
unknown

37.0 (custom) before 37.0.1.1
affected

R36 (custom) before R36 P5
affected

R32 (custom) before R32 P7
affected

Default status
unaffected

1.31.0 (custom) before 1.31.1
affected

1.30.0 (custom) before 1.30.2
affected

0.1.17 (custom)
affected

Credits

"F5 acknowledges Mufeed VH of Winfunc Research, Nebula Security (@nebusecurity), and Vexera AI for bringing this issue to our attention and following the highest standards of coordinated disclosure." reporter

References

www.openwall.com/lists/oss-security/2026/05/22/14

my.f5.com/manage/s/article/K000161377 vendor-advisory

cve.org (CVE-2026-9256)

nvd.nist.gov (CVE-2026-9256)

Download JSON