[Pkg-nginx-maintainers] Bug#1137339: nginx: CVE-2026-9256

Carlos Henrique Lima Melara charles at debian.org
Wed Jun 3 02:47:16 BST 2026


Hi Jan,

On Fri, May 22, 2026 at 09:38:12PM +0200, Salvatore Bonaccorso wrote:
> 
> The following vulnerability was published for nginx.
> 
> CVE-2026-9256[0]:
> | NGINX Plus and NGINX Open Source have a vulnerability in the
> | ngx_http_rewrite_module module. This vulnerability exists when a
> | rewrite directive uses a regex pattern with distinct, overlapping
> | Perl-Compatible Regular Expression (PCRE) captures (for example,
> | ^/((.*))$) and a replacement string that references multiple such
> | captures (for example, $1$2) in a redirect or arguments context. An
> | unauthenticated attacker along with conditions beyond their control
> | can exploit this vulnerability by sending crafted HTTP requests.
> | This may cause a heap buffer overflow in the NGINX worker process
> | leading to a restart. Additionally, attackers can execute code on
> | systems with Address Space Layout Randomization (ASLR) disabled or
> | when the attacker can bypass ASLR.    Note: Software versions which
> | have reached End of Technical Support (EoTS) are not evaluated.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

I'm working on fixing this vulnerability for LTS sponsored by Freexian
and have the attached debdiff for bullseye. If you'd like to check, it'd
be appreciated. I plan to upload by the end of the weekend. Also, I can
help do the work to fix CVE-2026-9256 and CVE-2026-42946 in stable and
oldstable if you would like help there (and I can also fill the p-u
bugs).

Cheers,
Charles
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx_1.18.0-6.1+deb11u7.diff
Type: text/x-diff
Size: 3991 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-nginx-maintainers/attachments/20260602/cf0b9e4b/attachment.diff>


More information about the Pkg-nginx-maintainers mailing list