CVE-2026-9256
Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
31- osv-coords30 versionspkg:apk/chainguard/nginx-mainlinepkg:apk/chainguard/nginx-stablepkg:apk/wolfi/nginx-mainlinepkg:apk/wolfi/nginx-stablepkg:bitnami/nginxpkg:bitnami/nginx-gatewaypkg:rpm/almalinux/nginxpkg:rpm/almalinux/nginx-all-modulespkg:rpm/almalinux/nginx-corepkg:rpm/almalinux/nginx-filesystempkg:rpm/almalinux/nginx-mod-develpkg:rpm/almalinux/nginx-mod-http-image-filterpkg:rpm/almalinux/nginx-mod-http-perlpkg:rpm/almalinux/nginx-mod-http-xslt-filterpkg:rpm/almalinux/nginx-mod-mailpkg:rpm/almalinux/nginx-mod-streampkg:rpm/opensuse/nginx&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP7pkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 1.31.1-r2+ 29 more
- (no CPE)range: < 1.31.1-r2
- (no CPE)range: < 1.30.2-r0
- (no CPE)range: < 1.31.1-r2
- (no CPE)range: < 1.30.2-r0
- (no CPE)range: >= 0.1.17, < 1.24.0
- (no CPE)range: >= 0.1.17, < 2.2.1
- (no CPE)range: < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
- (no CPE)range: < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
- (no CPE)range: < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
- (no CPE)range: < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
- (no CPE)range: < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
- (no CPE)range: < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
- (no CPE)range: < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
- (no CPE)range: < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
- (no CPE)range: < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
- (no CPE)range: < 1:1.24.0-7.module_el9.8.0+259+a3b861bb.2.alma.1
- (no CPE)range: < 1.31.1-1.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150600.10.21.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150600.10.21.1
- (no CPE)range: < 1.27.2-160000.5.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150600.10.21.1
- (no CPE)range: < 1.27.2-160000.5.1
Patches
Vulnerability mechanics
References
2- www.openwall.com/lists/oss-security/2026/05/22/14nvdMailing ListThird Party Advisory
- my.f5.com/manage/s/article/K000161377nvdMitigationVendor Advisory
News mentions
2- ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain ChaosThe Hacker News · May 25, 2026
- Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now!Cyber Security News · May 23, 2026