Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-22
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NGINX Plus and NGINX Open Source contain a heap buffer overflow in the ngx_http_rewrite_module when a rewrite directive uses a regex pattern with overlapping captures and a replacement string that references multiple captures. An unauthenticated attacker can send crafted HTTP requests that trigger the overflow, causing the NGINX worker process to restart. If the system has Address Space Layout Randomization disabled or the attacker can bypass ASLR, the overflow can also be used to execute arbitrary code.

Affected Systems

The vulnerability affects NGINX Open Source and NGINX Plus as provided by F5. No specific version information is listed, so all installations of these products potentially remain vulnerable unless newer releases contain a patch.

Risk and Exploitability

The CVSS score of 9.2 indicates high severity. While the EPS score is not available, the vulnerability can be exploited remotely without authentication by manipulating HTTP requests, and the lack of a KEV listing does not diminish the risk. If ASLR is disabled or evaded, remote code execution is possible, making the risk very high in environments that do not enforce memory protection.

Generated by OpenCVE AI on May 22, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NGINX to the latest supported release provided by F5
  • If an upgrade is not immediately possible, remove or disable the ngx_http_rewrite_module from the configuration
  • Ensure Address Space Layout Randomization is enabled on the server to mitigate the impact of the overflow
  • Apply the patch or configuration change as soon as the updated firmware or software is available

Generated by OpenCVE AI on May 22, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_rewrite_module vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-23T03:55:52.757Z

Reserved: 2026-05-21T20:58:58.484Z

Link: CVE-2026-9256

cve-icon Vulnrichment

Updated: 2026-05-23T00:35:26.077Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:45:16Z

Weaknesses