Hi Jan, On Fri, May 22, 2026 at 09:38:12PM +0200, Salvatore Bonaccorso wrote: > > The following vulnerability was published for nginx. > > CVE-2026-9256[0]: > | NGINX Plus and NGINX Open Source have a vulnerability in the > | ngx_http_rewrite_module module. This vulnerability exists when a > | rewrite directive uses a regex pattern with distinct, overlapping > | Perl-Compatible Regular Expression (PCRE) captures (for example, > | ^/((.*))$) and a replacement string that references multiple such > | captures (for example, $1$2) in a redirect or arguments context. An > | unauthenticated attacker along with conditions beyond their control > | can exploit this vulnerability by sending crafted HTTP requests. > | This may cause a heap buffer overflow in the NGINX worker process > | leading to a restart. Additionally, attackers can execute code on > | systems with Address Space Layout Randomization (ASLR) disabled or > | when the attacker can bypass ASLR. Note: Software versions which > | have reached End of Technical Support (EoTS) are not evaluated. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I'm working on fixing this vulnerability for LTS sponsored by Freexian and have the attached debdiff for bullseye. If you'd like to check, it'd be appreciated. I plan to upload by the end of the weekend. Also, I can help do the work to fix CVE-2026-9256 and CVE-2026-42946 in stable and oldstable if you would like help there (and I can also fill the p-u bugs). Cheers, Charles
diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog --- nginx-1.18.0/debian/changelog 2026-05-16 08:59:31.000000000 -0300 +++ nginx-1.18.0/debian/changelog 2026-05-30 16:09:59.000000000 -0300 @@ -1,3 +1,11 @@ +nginx (1.18.0-6.1+deb11u7) bullseye-security; urgency=medium + + * Non-maintainer upload by the LTS Team. + * debian/patches/CVE-2026-9256.patch: cherry-pick from upstream. + (Closes: #1137339) + + -- Carlos Henrique Lima Melara <[email protected]> Sat, 30 May 2026 16:09:59 -0300 + nginx (1.18.0-6.1+deb11u6) bullseye-security; urgency=medium * d/p/CVE-2026-1642: backport upstream patch for CVE-2026-1642. diff -Nru nginx-1.18.0/debian/patches/CVE-2026-9256.patch nginx-1.18.0/debian/patches/CVE-2026-9256.patch --- nginx-1.18.0/debian/patches/CVE-2026-9256.patch 1969-12-31 21:00:00.000000000 -0300 +++ nginx-1.18.0/debian/patches/CVE-2026-9256.patch 2026-05-30 16:08:05.000000000 -0300 @@ -0,0 +1,72 @@ +From: Roman Arutyunyan <[email protected]> +Date: Thu, 14 May 2026 18:42:18 +0400 +Subject: Rewrite: fix buffer overflow with overlapping captures + +When the rewrite replacement string had no variables, but had +overlapping captures, the length of the allocated buffer could be +smaller than the replacement string. This could happen either +when the "redirect" parameter is specified, or when arguments are +present in the replacement string. + +The following configurations resulted in heap buffer overflow when +using URI "/++++++++++++++++++++++++++++++": + + location / { + rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect; + return 200 foo; + } + + location / { + rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2; + return 200 foo; + } + +Reported by Mufeed VH of Winfunc Research. + +Origin: upstream, https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068 +Forwarded: not-needed +Last-Update: 2026-05-30 +--- + src/http/ngx_http_script.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c +index 302f842..d13ca2d 100644 +--- a/src/http/ngx_http_script.c ++++ b/src/http/ngx_http_script.c +@@ -999,6 +999,8 @@ ngx_http_script_start_args_code(ngx_http_script_engine_t *e) + void + ngx_http_script_regex_start_code(ngx_http_script_engine_t *e) + { ++ int *cap; ++ u_char *p; + size_t len; + ngx_int_t rc; + ngx_uint_t n; +@@ -1105,15 +1107,19 @@ ngx_http_script_regex_start_code(ngx_http_script_engine_t *e) + if (code->lengths == NULL) { + e->buf.len = code->size; + +- if (code->uri) { +- if (r->ncaptures && (r->quoted_uri || r->plus_in_uri)) { +- e->buf.len += 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len, +- NGX_ESCAPE_ARGS); +- } +- } ++ cap = r->captures; ++ p = r->captures_data; + + for (n = 2; n < r->ncaptures; n += 2) { +- e->buf.len += r->captures[n + 1] - r->captures[n]; ++ e->buf.len += cap[n + 1] - cap[n]; ++ ++ if (code->uri) { ++ if (r->quoted_uri || r->plus_in_uri) { ++ e->buf.len += 2 * ngx_escape_uri(NULL, &p[cap[n]], ++ cap[n + 1] - cap[n], ++ NGX_ESCAPE_ARGS); ++ } ++ } + } + + } else { diff -Nru nginx-1.18.0/debian/patches/series nginx-1.18.0/debian/patches/series --- nginx-1.18.0/debian/patches/series 2026-05-16 08:59:31.000000000 -0300 +++ nginx-1.18.0/debian/patches/series 2026-05-30 16:01:33.000000000 -0300 @@ -19,4 +19,5 @@ CVE-2026-40701.patch CVE-2026-42934.patch CVE-2025-53859.patch +CVE-2026-9256.patch # see also debian/modules/patches/
