CVE-2026-9256 Overview
CVE-2026-9256 is a heap buffer overflow [CWE-122] in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source. The flaw triggers when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures, such as ^/((.*))$, and a replacement string referencing multiple captures like $1$2 in a redirect or arguments context. An unauthenticated remote attacker can send crafted HTTP requests to corrupt heap memory in the NGINX worker process. The result is typically a worker restart, but code execution is possible on systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed.
Critical Impact
Unauthenticated network attackers can corrupt heap memory in NGINX worker processes, causing denial of service and potential remote code execution when ASLR protections are absent or bypassed.
Affected Products
- NGINX Plus
- NGINX Open Source
- Configurations using ngx_http_rewrite_module with overlapping PCRE captures in redirect or arguments contexts
Discovery Timeline
- 2026-05-22 - CVE-2026-9256 published to NVD
- 2026-05-23 - Last updated in NVD database
Technical Details for CVE-2026-9256
Vulnerability Analysis
The vulnerability resides in how ngx_http_rewrite_module constructs replacement strings during regex-based URL rewrites. When a rewrite directive defines overlapping PCRE captures, such as nested parenthesized groups in ^/((.*))$, NGINX miscalculates the buffer size required to hold the substituted result. The replacement string referencing both captures, for example $1$2, expands beyond the allocated heap region.
The overflow occurs in the worker process during request handling. The most common outcome is a crash followed by worker restart, producing a denial of service condition. On systems without ASLR or where an attacker can leak addresses to defeat ASLR, the heap corruption can be steered toward arbitrary code execution in the worker context.
The CWE-122 classification confirms heap-based buffer overflow as the underlying weakness. The EPSS score is 0.177% at the 38.87 percentile as of 2026-05-28, reflecting the high attack complexity noted in the CVSS vector.
Root Cause
The root cause is incorrect length calculation when expanding regex back-references that originate from distinct but overlapping capture groups. The module reserves heap space sized for the expected expansion but fails to account for the additional bytes produced when multiple overlapping captures are concatenated in the replacement string.
Attack Vector
Exploitation requires an HTTP request that traverses an NGINX location containing a vulnerable rewrite directive in a redirect (return 301/return 302) or arguments context. The attacker sends a request whose URI matches the regex in a way that maximizes the overlap between captures, forcing the heap write to exceed the allocated boundary. No authentication is required. The CVSS vector reflects high attack complexity because the vulnerable directive pattern must already be present in the server configuration.
No public proof-of-concept code is available. Refer to the F5 Security Article K000161377 and the Openwall OSS Security advisory for technical detail provided by the vendor.
Detection Methods for CVE-2026-9256
Indicators of Compromise
- Unexpected NGINX worker process crashes or signal 11 (SIGSEGV) entries in error.log correlated with HTTP requests against locations that use rewrite directives.
- Repeated worker process exited on signal messages followed by worker process restart events within short intervals.
- HTTP request URIs containing unusually long or repetitive path segments targeting endpoints handled by rewrite ... redirect or rewrites that populate query arguments.
Detection Strategies
- Audit all NGINX configurations for rewrite directives whose regex contains overlapping captures such as ((.*)) combined with replacements referencing multiple back-references like $1$2.
- Enable and monitor NGINX error.log at warn level or higher and forward worker crash signals to centralized logging.
- Correlate access log entries with worker restart timestamps to identify the specific request that triggered the crash.
Monitoring Recommendations
- Alert on any NGINX worker process termination by signal in production environments.
- Track HTTP 502/504 spikes from upstream NGINX tiers that may indicate worker churn caused by exploitation attempts.
- Verify that ASLR is enabled on all hosts running NGINX by confirming /proc/sys/kernel/randomize_va_space returns 2.
How to Mitigate CVE-2026-9256
Immediate Actions Required
- Apply the patched NGINX Plus or NGINX Open Source release referenced in F5 Security Article K000161377 as soon as available for your distribution.
- Inventory all rewrite directives across server blocks and identify any using overlapping PCRE captures with multi-reference replacements.
- Confirm ASLR is enabled on every host running NGINX to reduce the likelihood of code execution outcomes.
Patch Information
F5 has published guidance under article K000161377 covering fixed versions for NGINX Plus and NGINX Open Source. Versions that have reached End of Technical Support (EoTS) are not evaluated by the vendor and should be upgraded to a supported, patched release. Consult the F5 advisory and the Openwall OSS Security notice for the precise fixed version numbers applicable to your build.
Workarounds
- Rewrite vulnerable directives to avoid overlapping captures; replace patterns like ^/((.*))$ with a single non-overlapping group such as ^/(.*)$ and adjust replacements to reference one capture.
- Remove unnecessary rewrite ... redirect and argument-context rewrites from public-facing server blocks until patching is complete.
- Place a web application firewall (WAF) or upstream proxy in front of NGINX to filter requests whose URIs trigger the vulnerable rewrite paths.
# Configuration example - replace overlapping captures with a single group
# Vulnerable pattern:
# rewrite ^/((.*))$ /new/$1$2 redirect;
#
# Safer rewrite using a single, non-overlapping capture:
location / {
rewrite ^/(.*)$ /new/$1 redirect;
}
# Verify ASLR is fully enabled on Linux hosts running NGINX
cat /proc/sys/kernel/randomize_va_space # expect: 2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
