A critical security vulnerability has been disclosed in NGINX’s ngx_http_rewrite_module, one of the most widely deployed components in modern web infrastructure. Tracked as CVE-2026-9256 and published by F5 on May 22, 2026.
The flaw carries a CVSS v4.0 score of 9.2 (Critical) and a CVSS v3.1 score of 8.1 (High), making it one of the most severe NGINX vulnerabilities disclosed in recent years.
With NGINX powering over 30% of the world’s web servers, the blast radius of this flaw is enormous. CVE-2026-9256 is a heap-based buffer overflow vulnerability (CWE-122) residing in NGINX’s ngx_http_rewrite_module.
The flaw is triggered when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures, for example, ^/((.*))$ alongside a replacement string that references multiple captures, such as $1$2 in a redirect or arguments context.
CVE-2026-9256: NGINX Heap Overflow Vulnerability
When exploited, a remote, unauthenticated attacker can send a specially crafted HTTP request that overflows the heap buffer in the NGINX worker process. This leads to a worker process restart (DoS) at a minimum.
On systems where Address Space Layout Randomization (ASLR) is disabled or an attacker can bypass it, the vulnerability can escalate to potential Remote Code Execution (RCE), a critical threat in any production web environment.
F5 has assigned internal tracking ID 161 (NGINX) to this issue. Importantly, this is a data-plane issue only, with no control-plane exposure reported.
The vulnerability impacts a wide range of NGINX products. Below is a consolidated summary:
- NGINX Plus 37.x – version 37.0.0 is vulnerable; fixed in 37.0.1.1
- NGINX Plus R32–R36 – fixed in R36 P5 and R32 P7
- NGINX Open Source 1.31.0 and 1.0.0–1.30.1 – fixed in 1.31.1 and 1.30.2
- NGINX Open Source 0.1.17–0.9.7 – marked “Will Not Fix” by F5
- NGINX Instance Manager 2.17.0–2.22.0 – no fix yet available
- F5 WAF for NGINX 5.9.0–5.13.0 – no fix yet available
- NGINX App Protect WAF 5.2.0–5.8.0 and 4.10.0–4.16.0 – no fix yet available
- NGINX App Protect DoS 4.3.0–4.7.0 – no fix yet available
- NGINX Gateway Fabric 2.0.0–2.6.1 and 1.3.0–1.6.2 – no fix yet available
- NGINX Ingress Controller 3.5.0–5.4.2 – no fix yet available
- F5 DoS for NGINX 4.9.0 – no fix yet available
Products confirmed not vulnerable include BIG-IP (all modules), BIG-IQ, F5 Distributed Cloud, F5 Silverline, NGINX One Console, F5OS, Traffix SDC, and F5 AI Gateway.
The vulnerability stems from the way NGINX processes overlapping PCRE capture groups in rewrite rules. When unnamed capture groups overlap, such as in the pattern ^/((.*))$, the internal buffer accounting in the ngx_http_rewrite_module fails to allocate memory correctly.
Referencing both $1 and $2 in a replacement string then causes the heap write to exceed its allocated boundary, corrupting adjacent memory regions.
This class of bug is particularly dangerous in high-traffic environments because exploitation requires only a crafted HTTP request, no authentication, no prior access, and no user interaction.
The attack complexity is rated High (AC:H) due to the need for specific server configurations and conditions partially beyond the attacker’s control, such as ASLR being disabled.
Mitigation
F5 has provided a concrete mitigation for organizations that cannot immediately patch. The fix involves replacing unnamed PCRE capture groups with named captures in all rewrite directives.
Vulnerable configuration example:
rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;Mitigated configuration using named captures:
rewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ /profile.php?id=$user_id&tab=$section last;This change eliminates the overlapping capture condition that triggers the buffer overflow, providing an effective workaround until patches are applied across all affected product branches.
Organizations should prioritize upgrading to the following patched versions immediately:
- NGINX Plus: Upgrade to 37.0.1.1 or apply R36 P5 / R32 P7 patches
- NGINX Open Source: Upgrade to 1.31.1 or 1.30.2
For products where fixes have not yet been released, including NGINX Instance Manager, NGINX Gateway Fabric, NGINX Ingress Controller, and NGINX App Protect, F5 strongly recommends applying the named capture mitigation immediately and monitoring F5’s security advisory page (K000161377) for updates on patch availability.
FAQ
Q1: What is CVE-2026-9256?
CVE-2026-9256 is a critical heap buffer overflow in NGINX’s ngx_http_rewrite_module that allows unauthenticated remote attackers to cause denial-of-service or potentially execute arbitrary code on vulnerable systems.
Q2: Which NGINX versions are affected by CVE-2026-9256?
NGINX Plus 37.0.0, NGINX Open Source 1.31.0 and 1.0.0–1.30.1, NGINX Instance Manager 2.17.0–2.22.0, and several versions of NGINX App Protect, Gateway Fabric, and Ingress Controller are confirmed vulnerable.
Q3: Is a patch available for CVE-2026-9256?
Patches are available for NGINX Plus (37.0.1.1, R36 P5, R32 P7) and NGINX Open Source (1.31.1, 1.30.2), but several other affected products still lack fixes and should use the named capture mitigation in the interim.
Q4: How can I mitigate CVE-2026-9256 without patching?
Replace unnamed PCRE capture groups ($1, $2) with named captures (e.g., (?<name>pattern)) in all NGINX rewrite directives to eliminate the overlapping capture condition that triggers the overflow.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
