Heap Buffer Overflow in NGINX Plus and Open Source due to Regex Patterns
CVE-2026-9256

9.2CRITICAL

Key Information:

Vendor: F5
Status: Nginx Plus; Nginx Open Source
Vendor: CVE Published:; 22 May 2026

What is CVE-2026-9256?

A vulnerability exists in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source, which can be exploited by an unauthenticated attacker. When specific rewrite directives utilize overlapping Perl-Compatible Regular Expressions (PCRE) captures, and combine them in a replacement string within a redirect or arguments context, an attacker may craft HTTP requests that lead to a heap buffer overflow in the NGINX worker process. This scenario can result in the process restarting and could also allow code execution on systems lacking Address Space Layout Randomization (ASLR) or where ASLR is bypassed.

Affected Version(s)

NGINX Open Source 1.31.0 < 1.31.1

NGINX Open Source 1.30.0 < 1.30.2

NGINX Open Source 0.1.17

References

https://my.f5.com/manage/s/article/K000161377

vendor-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 21, 2026

Credit

"F5 acknowledges Mufeed VH of Winfunc Research, Nebula Security (@nebusecurity), and Vexera AI for bringing this issue to our attention and following the highest standards of coordinated disclosure."

CVE-2026-9256 Data

JSON