diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog
--- nginx-1.18.0/debian/changelog	2026-05-16 08:59:31.000000000 -0300
+++ nginx-1.18.0/debian/changelog	2026-05-30 16:09:59.000000000 -0300
@@ -1,3 +1,11 @@
+nginx (1.18.0-6.1+deb11u7) bullseye-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * debian/patches/CVE-2026-9256.patch: cherry-pick from upstream.
+    (Closes: #1137339)
+
+ -- Carlos Henrique Lima Melara <charlesmelara@riseup.net>  Sat, 30 May 2026 16:09:59 -0300
+
 nginx (1.18.0-6.1+deb11u6) bullseye-security; urgency=medium
 
   * d/p/CVE-2026-1642: backport upstream patch for CVE-2026-1642.
diff -Nru nginx-1.18.0/debian/patches/CVE-2026-9256.patch nginx-1.18.0/debian/patches/CVE-2026-9256.patch
--- nginx-1.18.0/debian/patches/CVE-2026-9256.patch	1969-12-31 21:00:00.000000000 -0300
+++ nginx-1.18.0/debian/patches/CVE-2026-9256.patch	2026-05-30 16:08:05.000000000 -0300
@@ -0,0 +1,72 @@
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Thu, 14 May 2026 18:42:18 +0400
+Subject: Rewrite: fix buffer overflow with overlapping captures
+
+When the rewrite replacement string had no variables, but had
+overlapping captures, the length of the allocated buffer could be
+smaller than the replacement string.  This could happen either
+when the "redirect" parameter is specified, or when arguments are
+present in the replacement string.
+
+The following configurations resulted in heap buffer overflow when
+using URI "/++++++++++++++++++++++++++++++":
+
+    location / {
+        rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect;
+        return 200 foo;
+    }
+
+    location / {
+        rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2;
+        return 200 foo;
+    }
+
+Reported by Mufeed VH of Winfunc Research.
+
+Origin: upstream, https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068
+Forwarded: not-needed
+Last-Update: 2026-05-30
+---
+ src/http/ngx_http_script.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
+index 302f842..d13ca2d 100644
+--- a/src/http/ngx_http_script.c
++++ b/src/http/ngx_http_script.c
+@@ -999,6 +999,8 @@ ngx_http_script_start_args_code(ngx_http_script_engine_t *e)
+ void
+ ngx_http_script_regex_start_code(ngx_http_script_engine_t *e)
+ {
++    int                           *cap;
++    u_char                        *p;
+     size_t                         len;
+     ngx_int_t                      rc;
+     ngx_uint_t                     n;
+@@ -1105,15 +1107,19 @@ ngx_http_script_regex_start_code(ngx_http_script_engine_t *e)
+     if (code->lengths == NULL) {
+         e->buf.len = code->size;
+ 
+-        if (code->uri) {
+-            if (r->ncaptures && (r->quoted_uri || r->plus_in_uri)) {
+-                e->buf.len += 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len,
+-                                                 NGX_ESCAPE_ARGS);
+-            }
+-        }
++        cap = r->captures;
++        p = r->captures_data;
+ 
+         for (n = 2; n < r->ncaptures; n += 2) {
+-            e->buf.len += r->captures[n + 1] - r->captures[n];
++            e->buf.len += cap[n + 1] - cap[n];
++
++            if (code->uri) {
++                if (r->quoted_uri || r->plus_in_uri) {
++                    e->buf.len += 2 * ngx_escape_uri(NULL, &p[cap[n]],
++                                                     cap[n + 1] - cap[n],
++                                                     NGX_ESCAPE_ARGS);
++                }
++            }
+         }
+ 
+     } else {
diff -Nru nginx-1.18.0/debian/patches/series nginx-1.18.0/debian/patches/series
--- nginx-1.18.0/debian/patches/series	2026-05-16 08:59:31.000000000 -0300
+++ nginx-1.18.0/debian/patches/series	2026-05-30 16:01:33.000000000 -0300
@@ -19,4 +19,5 @@
 CVE-2026-40701.patch
 CVE-2026-42934.patch
 CVE-2025-53859.patch
+CVE-2026-9256.patch
 # see also debian/modules/patches/
