Heap Buffer Overflow in NGINX Plus and Open Source due to Regex Patterns
CVE-2026-9256

9.2CRITICAL

Key Information:

Vendor

F5
Status
Nginx Plus
Nginx Open Source
Vendor
CVE Published:
22 May 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-9256?

A vulnerability exists in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source, which can be exploited by an unauthenticated attacker. When specific rewrite directives utilize overlapping Perl-Compatible Regular Expressions (PCRE) captures, and combine them in a replacement string within a redirect or arguments context, an attacker may craft HTTP requests that lead to a heap buffer overflow in the NGINX worker process. This scenario can result in the process restarting and could also allow code execution on systems lacking Address Space Layout Randomization (ASLR) or where ASLR is bypassed.

Affected Version(s)

NGINX Open Source 1.31.0 < 1.31.1

NGINX Open Source 1.30.0 < 1.30.2

NGINX Open Source 0.1.17 <= 0.9.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9256
Created by suominen

Nginx-chain-Rift-Poolslip
Created by y198nt

References

https://my.f5.com/manage/s/article/K000161377
vendor-advisory

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

"F5 acknowledges Mufeed VH of Winfunc Research, Nebula Security (@nebusecurity), and Vexera AI for bringing this issue to our attention and following the highest standards of coordinated disclosure."
.