CVE-2026-9256 — nginx rewrite-module heap overflow

Summary

An unauthenticated remote attacker can crash the nginx worker process by sending crafted HTTP requests, provided the running configuration contains a rewrite directive that uses a PCRE regex with distinct, overlapping captures and a replacement string referencing multiple such captures in a redirect or arguments context. Where ASLR is disabled or the attacker can bypass it, the overflow may be turned into remote code execution in the worker.

The bug is in the rewrite module’s replacement-string handling: with overlapping captures, the size precomputed for the output buffer can under-count what the replacement actually emits, and the subsequent copy walks past the allocated heap region. Affects both NGINX Open Source and NGINX Plus.

Affected versions

Per the upstream advisory. The vulnerable code has been present since the early ngx_http_rewrite_module PCRE-capture handling — every shipped nginx through 1.31.0 / 1.30.1 carries it.

Distribution status

Fix status depends on the package version and whether the maintainer backported the upstream patch. A distro can carry the fix as a -N Debian packaging revision, a patches/patch-* file (with a PKGREVISION bump) in pkgsrc, or an extraPatches .patch in nixpkgs — so an older version string does not always mean vulnerable.

Debian

The Debian security tracker is the authoritative source for per-suite status.

Versions are the apt-installable value — the <suite>-security archive where it exists, since that is what hosts run and where a DSA / DLA fix lands first.

Per-release notes:

• sid → forky: the Debian-side fix landed first in sid (1.30.1-3) and has since migrated into testing (forky).
• trixie and bookworm have each received a security archive upload (a +debXuY revision bump carrying the backported upstream patch) and are now fixed. bullseye (LTS) is still waiting for a DLA from the LTS team.

pkgsrc

The pkgsrc tree (NetBSD’s package collection, also used on SmartOS, macOS via pkgin, and elsewhere) ships nginx in two packages. pkgsrc-current is the rolling tip (trunk); quarterly stable branches (pkgsrc-2025Q4 etc.) inherit by cherry-pick.

NixOS

nixpkgs ships nginx as two attributes: nginxMainline and nginxStable. A channel is fixed once its version reaches the fixed upstream release or it carries the fix as an extraPatches backport on an older base. Each row’s “Fixed since” date and revision mark when its current verdict first held.

All five tracked channels now carry the fix: the three unstable channels ship the fixed upstream versions (1.31.1 mainline / 1.30.2 stable), while nixos-25.11 and nixos-25.11-small keep their 1.29.7 / 1.28.3 release versions with the CVE-2026-9256 fix applied as an extraPatches backport.

Detection

To check whether a running nginx is on a fixed build:

nginx -v 2>&1 | awk '{print $NF}' | sed 's,^nginx/,,'

• mainline >= 1.31.1 ⇒ fixed.
• stable >= 1.30.2 ⇒ fixed.
• Anything older ⇒ vulnerable, unless the distro packager has backported the upstream patch (see the per-distro notes below).

To check whether your config actually contains the vulnerable construct (a rewrite with overlapping captures used in a redirect or args target), look for rewrite directives whose replacement strings reference multiple $N captures, especially in return 301 or query-string contexts. The CVSS reflects the worst case (a config that hits the buggy path); a config that uses no rewrite directive at all, or no PCRE captures in rewrites, is not exposed even on a vulnerable binary.

Debian

A Debian-side backport keeps the upstream version but bumps the -N packaging revision (e.g. sid’s 1.30.1-3 carries the patch on top of nginx 1.30.1). Query the installed package version:

dpkg-query -W -f='${Version}\n' nginx

Cross-reference the version against the per-suite rows in Distribution status → Debian (and ultimately the Debian security tracker page).

pkgsrc

Query the installed package:

pkg_info -e nginx          # or: pkg_info -e nginx-devel

The output is <pkgname>-<version> plus, if the Makefile sets PKGREVISION, the suffix nb<PKGREVISION> (e.g. nginx-1.30.1 or nginx-1.30.1nb1). Cross-reference against the per-package rows in Distribution status → pkgsrc.

NixOS

The nginx version in the system closure is the same as the version = field in pkgs/servers/http/nginx/{mainline,stable}.nix on the channel revision the system was built from — there is no separate packaging-revision concept. Query the running build:

nginx -v 2>&1 | awk '{print $NF}' | sed 's,^nginx/,,'

…and cross-reference against the per-channel rows in Distribution status → NixOS.

Mitigation

If you cannot update immediately:

• Strongest: remove rewrite directives that use PCRE captures in redirect / arguments contexts, or rewrite them as simple return directives without captured groups in the replacement.
• Operational: keep ASLR enabled. On Linux /proc/sys/kernel/randomize_va_space should read 2; on NetBSD, sysctl -n security.pax.aslr.enabled should read 1. Both default to on across the tracked Debian, pkgsrc, and NixOS builds. Without ASLR the bug is significantly easier to escalate beyond a worker crash.
• Defence in depth: put a WAF or rate limiter in front of nginx workers to slow brute-force attempts that depend on repeated worker restarts to leak addresses.

Mitigation is not a fix — the heap overflow is still present and any later config change that re-introduces a vulnerable rewrite will re-expose the bug. Upgrade to a fixed nginx as soon as your channel carries it.

Verification log

Last verified 2026-06-08.

Upstream

• CVE-2026-9256 published 2026-05-22 by nginx upstream, alongside the fixed releases nginx 1.31.1 (mainline) and 1.30.2 (stable). Confirmed against nginx security advisories and the nginx CHANGES file: 1.31.1’s changelog explicitly lists “buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-9256)”.
• MITRE CVE Record state PUBLISHED; NVD record present with both CVSS 3.1 (8.1 high) and CVSS 4.0 (9.2 critical).
• KEV not listed; EPSS not yet scored.

Distributions

• Debian sid: Debian security tracker lists nginx 1.30.1-3 as fixed — Debian-side backport of the upstream patch carried as the -3 packaging revision on top of nginx 1.30.1. Uploaded to unstable 2026-05-23 (the changelog closes CVE-2026-9256).
• Debian forky: tracker page lists nginx 1.30.1-3 as fixed — 1.30.1-3 migrated from sid into testing (forky); first observed fixed 2026-05-26.
• Debian 13 (trixie): apt-installable version 1.26.3-3+deb13u6 (trixie-security), fixed — security archive upload backporting the upstream patch (via the Debian tracker).
• Debian 12 (bookworm): apt-installable version 1.22.1-9+deb12u8 (bookworm-security), fixed — security archive upload backporting the upstream patch (via the Debian tracker).
• Debian 11 (bullseye): apt-installable version 1.18.0-6.1+deb11u6 (bullseye-security), vulnerable. Bullseye is on Debian LTS (regular security support ended 2024-08-15; LTS runs to 2026-08-31) so a backport, if it comes, will be a DLA from the LTS team.
• pkgsrc-current: www/nginx/Makefile pins DISTNAME=nginx-1.30.2 as of 2026-05-29 (commit 0891e1bf19e6) — the upstream stable fixed release; the version itself is the fix, no patches/ backport needed. www/nginx-devel/Makefile still pins DISTNAME=nginx-1.29.6 and carries no CVE-2026-9256 patch in patches/; vulnerable.
• NixOS nixos-unstable: fixed since 2026-05-26 at revision 64c08a7ca051951c8eae34e3e3cb1e202fe36786; pkgs/servers/http/nginx/mainline.nix pins version = "1.31.1", stable.nix pins version = "1.30.2". Both fixed. The bump cleared Hydra’s full test set by 2026-05-26.
• NixOS nixos-unstable-small: fixed since 2026-05-23 at revision 19942a940b16e7e7285e3cf58f09fa1aeb2f90cd; mainline.nix pins 1.31.1, stable.nix pins 1.30.2. Both fixed. The -small channel has a lighter test gate and led the bump.
• NixOS nixos-25.11: fixed since 2026-05-29 at revision 25f538306313eae3927264466c70d7001dcea1df; mainline.nix pins 1.29.7, stable.nix pins 1.28.3, both with a CVE-2026-9256.patch entry in extraPatches pointing to upstream commit ca4f92a27464ae6c2082245e4f67048c633aa032. The 25.11 branch received a security backport via extraPatches rather than a version bump.
• NixOS nixos-25.11-small: fixed since 2026-05-29 at revision f5190b692864072e79a2fb7c52d72d1d57fcb269; same base versions (1.29.7 / 1.28.3) and the same CVE-2026-9256.patch backport in extraPatches as nixos-25.11.
• nixpkgs-unstable: fixed since 2026-05-23 at revision 3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456; mainline.nix pins 1.31.1, stable.nix pins 1.30.2. Both fixed.
• NixOS security tracker (tracker.security.nixos.org) — no published issue or accepted suggestion against the nginx package for CVE-2026-9256 as of 2026-05-29; the fix reached the 25.11 channels via extraPatches rather than through the security tracker workflow.

References