CVE-2026-9256: CWE-122 Heap-based Buffer Overflow in F5 NGINX Plus
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI Analysis
Technical Summary
This vulnerability in F5's NGINX Plus involves the ngx_http_rewrite_module where overlapping Perl-Compatible Regular Expression captures in rewrite directives can lead to a heap-based buffer overflow. The issue arises when the replacement string references multiple overlapping captures, enabling an attacker to send crafted HTTP requests that trigger the overflow. The impact includes worker process restarts and potential code execution on systems without effective ASLR protections. The CVSS v3.1 score is 8.1, indicating high severity. Affected versions are 37.0, R36, and R32. No patch or official remediation level has been disclosed by the vendor as of the publication date.
Potential Impact
Exploitation can cause the NGINX worker process to crash and restart, resulting in denial of service. On systems where ASLR is disabled or can be bypassed, attackers may achieve remote code execution, leading to full compromise of the affected system. The vulnerability requires no privileges or user interaction but has a high attack complexity due to specific conditions in regex usage.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid using rewrite directives with overlapping PCRE captures and multiple references in replacement strings in redirect or arguments contexts. Monitor vendor communications for updates on patches or official mitigations.
CVE-2026-9256: CWE-122 Heap-based Buffer Overflow in F5 NGINX Plus
Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in F5's NGINX Plus involves the ngx_http_rewrite_module where overlapping Perl-Compatible Regular Expression captures in rewrite directives can lead to a heap-based buffer overflow. The issue arises when the replacement string references multiple overlapping captures, enabling an attacker to send crafted HTTP requests that trigger the overflow. The impact includes worker process restarts and potential code execution on systems without effective ASLR protections. The CVSS v3.1 score is 8.1, indicating high severity. Affected versions are 37.0, R36, and R32. No patch or official remediation level has been disclosed by the vendor as of the publication date.
Potential Impact
Exploitation can cause the NGINX worker process to crash and restart, resulting in denial of service. On systems where ASLR is disabled or can be bypassed, attackers may achieve remote code execution, leading to full compromise of the affected system. The vulnerability requires no privileges or user interaction but has a high attack complexity due to specific conditions in regex usage.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid using rewrite directives with overlapping PCRE captures and multiple references in replacement strings in redirect or arguments contexts. Monitor vendor communications for updates on patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- f5
- Date Reserved
- 2026-05-21T20:58:58.484Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a10685ce1370fbb4807627c
Added to database: 5/22/2026, 2:29:48 PM
Last enriched: 5/22/2026, 2:44:44 PM
Last updated: 5/23/2026, 7:50:51 AM
Views: 30
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.