Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.
Published: 2026-05-12
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by an unsigned integer underflow that results in an unhandled std::out_of_range exception within libmodsecurity3. When a rule containing @verifySSN, @verifyCPF, or @verifySVNR is evaluated, the exception can crash the ModSecurity engine, causing the protected web server to become unavailable. The weakness aligns with underflow failures (CWE-191) and unhandled exceptions (CWE-248), potentially disrupting service for any application using the affected rules.

Affected Systems

The flaw exists in ModSecurity version 3.0.0 up to, but not including, 3.0.15, a cross‑platform web application firewall used with Apache, IIS, and Nginx. Systems running any of the affected ModSecurity 3.0.x releases are potentially impacted.

Risk and Exploitability

The CVSS score of 8.2 classifies the issue as High severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through an administrator who loads rules containing the vulnerable operators; local or privileged access is required to insert or modify rule files, making the situation an internal risk that can lead to denial of service if exploited.

Generated by OpenCVE AI on May 13, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ModSecurity to version 3.0.15 or later to apply the vendor patch.
  • If an upgrade is not immediately possible, remove or comment out any rules that use the @verifySSN, @verifyCPF, or @verifySVNR operators until the patch is applied.
  • Monitor ModSecurity logs for std::out_of_range exceptions or unexpected crashes, and ensure fail‑over or graceful restart mechanisms are in place to mitigate service disruptions.

Generated by OpenCVE AI on May 13, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.
Title ModSecurity: Unsigned integer underflow in @verifySSN / @verifyCPF / @verifySVNR operators
Weaknesses CWE-191
CWE-248
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:40:19.031Z

Reserved: 2026-04-26T11:53:27.706Z

Link: CVE-2026-42268

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:34.337

Modified: 2026-05-12T22:16:34.337

Link: CVE-2026-42268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:45:26Z

Weaknesses