Hi Salvatore, thank you for opening a Debian issue.
The bug affects CRS after 3.3.3, the first affected version is 3.3.4, so I needed to add a patch to bookworm (Debian 12) and trixie (Debian 13). The new modsecurity-crs packages for these Debian versions are done (in Salsa), and I imported the new upstream version to Salsa's master branch. (Before CRS 3.3.4 the affected rule didn't exist.) We will review the patches and package states soon and will release the package. Thank you again, a. On Fri, Jan 9, 2026 at 5:53 AM Salvatore Bonaccorso <[email protected]> wrote: > Source: modsecurity-crs > Version: 3.3.7-1 > Severity: grave > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team < > [email protected]> > > Hi, > > The following vulnerability was published for modsecurity-crs. > > CVE-2026-21876[0]: > | The OWASP core rule set (CRS) is a set of generic attack detection > | rules for use with compatible web application firewalls. Prior to > | versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when > | processing multipart requests with multiple parts. When the first > | rule in a chain iterates over a collection (like > | `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) > | get overwritten with each iteration. Only the last captured value is > | available to the chained rule, which means malicious charsets in > | earlier parts can be missed if a later part has a legitimate > | charset. Versions 4.22.0 and 3.3.8 patch the issue. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-21876 > https://www.cve.org/CVERecord?id=CVE-2026-21876 > [1] > https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5 > [2] > https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore >
