Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-22
Score: 9.2 Critical
EPSS: 4.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NGINX Plus and NGINX Open Source contain a heap buffer overflow in the ngx_http_rewrite_module when a rewrite directive uses a regex pattern with overlapping captures and a replacement string that references multiple captures. An unauthenticated attacker can send crafted HTTP requests that trigger the overflow, causing the NGINX worker process to restart. If the system has Address Space Layout Randomization disabled or the attacker can bypass ASLR, the overflow can also be used to execute arbitrary code.

Affected Systems

The vulnerability affects NGINX Open Source and NGINX Plus as provided by F5. Specific version information from the supplied CPE strings indicates that NGINX Open Source 1.31.0 is affected. All other installations of these products remain potentially vulnerable unless newer releases contain a patch.

Risk and Exploitability

The CVSS score of 9.2 indicates high severity. While the EPSS score is 0.04 (4%), the vulnerability can be exploited remotely without authentication by manipulating HTTP requests, and the lack of a KEV listing does not diminish the risk. If ASLR is disabled or evaded, remote code execution is possible, making the risk very high in environments that do not enforce memory protection.

Generated by OpenCVE AI on June 30, 2026 at 16:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NGINX to the latest supported release provided by F5
  • If an upgrade is not immediately possible, remove or disable the ngx_http_rewrite_module from the configuration
  • Ensure Address Space Layout Randomization is enabled on the server to mitigate the impact of the overflow
  • Apply the patch or configuration change as soon as the updated firmware or software is available

Generated by OpenCVE AI on June 30, 2026 at 16:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4634-1 nginx security update
Debian DSA Debian DSA DSA-6326-1 nginx security update
Ubuntu USN Ubuntu USN USN-8375-1 nginx vulnerabilities
History

Tue, 16 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_open_source:1.31.0:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Tue, 26 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_rewrite_module vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-06-30T12:10:51.319Z

Reserved: 2026-05-21T20:58:58.484Z

Link: CVE-2026-9256

cve-icon Vulnrichment

Updated: 2026-06-18T05:35:40.986Z

cve-icon NVD

Status : Modified

Published: 2026-05-22T15:16:27.073

Modified: 2026-06-18T06:16:58.190

Link: CVE-2026-9256

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-22T14:11:41Z

Links: CVE-2026-9256 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:15:06Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow