Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15.
Published: 2026-05-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A single‑character query string processed with the t:hexDecode transformation triggers an invalid memory access in libModSecurity3, causing the worker process to crash. The crash results in a temporary service interruption until the worker recovers. The weakness is a classic out‑of‑bounds read, classified as CWE‑125.

Affected Systems

All installations of ModSecurity v3 using the libModSecurity3 component on Apache, IIS, or Nginx are affected. Versions before 3.0.15 are vulnerable, regardless of other configuration settings beyond the transformation.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, and the absence of an EPSS rating means the exploitation probability is not quantified at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: an attacker can submit a specially crafted single‑character query string to any ModSecurity‑protected web application. It is inferred that the attack requires no authentication or privileged state, and it does not compromise the confidentiality or integrity of data—only causing a denial of service by crashing worker processes.

Generated by OpenCVE AI on May 5, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official ModSecurity update to v3.0.15 or later, which resolves the segmentation fault.
  • Restart the affected web server (Apache, IIS, or Nginx) after the update to clean up any crashed worker processes.
  • Temporarily disable or remove any rules that use the t:hexDecode transformation on single‑character query strings until the upgrade is completed.

Generated by OpenCVE AI on May 5, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Owasp
Owasp modsecurity
CPEs cpe:2.3:a:owasp:modsecurity:*:*:*:*:*:*:*:*
Vendors & Products Owasp
Owasp modsecurity
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 05 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Modsecurity
Modsecurity modsecurity
Vendors & Products Modsecurity
Modsecurity modsecurity

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15.
Title libModSecurity3 denial of service via segfault when using t:hexDecode on single-character query strings
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Modsecurity Modsecurity
Owasp Modsecurity
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:21:08.898Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30923

cve-icon Vulnrichment

Updated: 2026-05-05T19:20:39.690Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T19:16:21.567

Modified: 2026-06-17T10:33:09.423

Link: CVE-2026-30923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T21:45:15Z

Weaknesses