CVE-2026-30923 Overview
CVE-2026-30923 is a denial-of-service vulnerability in libModSecurity3, the core engine of the OWASP ModSecurity v3 web application firewall (WAF) for Apache, IIS, and Nginx. The flaw triggers a segmentation fault when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. Attackers can crash WAF worker processes remotely without authentication, disrupting traffic inspection until the attack stops. All versions of libModSecurity3 prior to 3.0.15 are affected, and the issue is classified as an out-of-bounds read [CWE-125].
Critical Impact
Unauthenticated remote attackers can crash ModSecurity worker processes by sending crafted single-character query parameters, causing recurring denial of service against any web application protected by the affected WAF.
Affected Products
- OWASP ModSecurity (libModSecurity3) versions prior to 3.0.15
- Apache, IIS, and Nginx deployments using libModSecurity3
- Any WAF ruleset relying on the t:hexDecode transformation
Discovery Timeline
- 2026-05-05 - CVE-2026-30923 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-30923
Vulnerability Analysis
The vulnerability resides in the hexDecode transformation routine within libModSecurity3. The function decodes hexadecimal-encoded input by processing pairs of characters and converting them into bytes. When a query string parameter contains only a single character, the routine reads beyond the allocated buffer boundary while attempting to access the second character of the pair.
This out-of-bounds read [CWE-125] causes a segmentation fault that terminates the worker process handling the request. The crash impacts availability only — confidentiality and integrity are not affected. Service automatically resumes once attack traffic stops, as worker processes are restarted by the parent web server. However, sustained traffic containing the malicious pattern produces persistent denial of service against the protected application.
Root Cause
The root cause is missing input length validation in the hexDecode transformation. The function assumes that any input passed to it contains an even number of characters or at least two characters when decoding. A single-character input violates this assumption and triggers a read past the end of the input buffer. The EPSS score for this vulnerability is 0.042% with a percentile of 12.699.
Attack Vector
Exploitation requires no authentication and no user interaction. An attacker sends an HTTP request to any endpoint protected by ModSecurity where a configured rule applies the t:hexDecode transformation to a query string parameter. The query parameter must contain exactly one character to trigger the segfault. Because ModSecurity Core Rule Set (CRS) and many custom rulesets use hexDecode for normalization, a wide range of deployments may be exposed.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-qrjc-3jpc-3h2g.
Detection Methods for CVE-2026-30923
Indicators of Compromise
- Repeated worker process crashes or segmentation fault entries in Apache, Nginx, or IIS error logs correlating with libModSecurity3 stack frames
- HTTP requests with single-character query string parameter values targeting endpoints inspected by hexDecode rules
- Sudden gaps in ModSecurity audit logs caused by worker termination mid-request
Detection Strategies
- Inspect web server error logs for signal 11 or SIGSEGV events referencing modsecurity or libmodsecurity3 shared objects
- Correlate worker crash events with inbound request patterns containing minimal-length query parameters
- Monitor WAF rule evaluation telemetry for unexpected termination of transactions before rule completion
Monitoring Recommendations
- Enable verbose ModSecurity audit logging and forward logs to a centralized analytics platform for correlation
- Alert on elevated rates of worker process restarts on edge web servers
- Track HTTP 5xx error spikes associated with WAF-protected endpoints to detect availability impact
How to Mitigate CVE-2026-30923
Immediate Actions Required
- Upgrade libModSecurity3 to version 3.0.15 or later on all Apache, IIS, and Nginx hosts running the WAF
- Audit active rulesets to identify rules using the t:hexDecode transformation and document exposure
- Restart web server worker processes after deploying the patched library to ensure the fix is loaded
Patch Information
The vulnerability is patched in libModSecurity3 version 3.0.15. The fix adds proper length validation to the hexDecode transformation. Release artifacts and source are available from the GitHub ModSecurity Release v3.0.15.
Workarounds
- Temporarily remove or disable rules that apply t:hexDecode to user-controlled query string parameters until patching completes
- Add an upstream filter or rate limit rejecting query string parameters with a single-character value where business logic permits
- Place an additional protective layer such as a CDN or reverse proxy with request validation in front of unpatched ModSecurity instances
# Configuration example: verify installed libModSecurity3 version
ldconfig -p | grep libmodsecurity
strings /usr/lib/libmodsecurity.so.3 | grep -i "3.0."
# Nginx: reload after upgrading the library
nginx -t && systemctl reload nginx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
