9.2
CRITICAL CVSS 4.0
CVE-2026-9256
NGINX ngx_http_rewrite_module vulnerability
Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

INFO

Published Date :

May 22, 2026, 3:16 p.m.

Last Modified :

June 30, 2026, 3:21 a.m.

Remotely Exploit :

Yes !
Affected Products

The following products are affected by CVE-2026-9256 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 F5 nginx_plus
2 F5 nginx_open_source
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 134c704f-9b21-4f2e-91b3-4a467353bcc0
CVSS 3.1 HIGH 9dacffd4-cb11-413f-8451-fbbfd4ddc0ab
CVSS 3.1 HIGH MITRE-CVE
CVSS 3.1 HIGH [email protected]
CVSS 3.1 HIGH 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CVSS 4.0 CRITICAL 9dacffd4-cb11-413f-8451-fbbfd4ddc0ab
CVSS 4.0 CRITICAL [email protected]
Solution
Update NGINX to a version that addresses the rewrite module heap buffer overflow vulnerability.
  • Update NGINX Plus to the latest version.
  • Update NGINX Open Source to the latest version.
  • Review and fix rewrite rules with overlapping PCRE captures.
  • Disable ASLR if possible and not already enabled.
Public PoC/Exploit Available at Github

CVE-2026-9256 has a 17 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-9256 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-9256 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

Dockerfile Python Shell

Updated: 1 week, 5 days ago
2 stars 1 fork 1 watcher
Born at : June 20, 2026, 3:39 a.m. This repo has been linked 2 different CVEs too.

None

Python

Updated: 1 week ago
1 stars 0 fork 0 watcher
Born at : June 19, 2026, 6:51 a.m. This repo has been linked 1 different CVEs too.

Nginx RCE chain PoC with CVE-2026-9256 and CVE-2026-42945

Python Shell

Updated: 3 weeks, 4 days ago
2 stars 1 fork 1 watcher
Born at : June 5, 2026, 3:21 p.m. This repo has been linked 2 different CVEs too.

CVE-2026-9256 Nginx heap buffer overflow POC

Python

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : June 3, 2026, 2:17 a.m. This repo has been linked 1 different CVEs too.

Echo assignment - shalev lavyuod

Makefile Shell Dockerfile Python

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : June 1, 2026, 5:05 p.m. This repo has been linked 2 different CVEs too.

None

Dockerfile Shell Makefile Python

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : May 29, 2026, 6:26 p.m. This repo has been linked 40 different CVEs too.

Community-maintained fork of kubernetes/ingress-nginx with NGINX 1.30.2

fork cve docker helm ingress ingress-controller kubernetes kubernetes-ingress load-balancer nginx nginx130 reverse-proxy security

Lua Makefile Shell Go Template Mustache Go Python Dockerfile HTML JavaScript

Updated: 1 day, 14 hours ago
1 stars 0 fork 0 watcher
Born at : May 28, 2026, 4:05 p.m. This repo has been linked 10 different CVEs too.

poc

Python

Updated: 1 week ago
1 stars 0 fork 0 watcher
Born at : May 28, 2026, 6:56 a.m. This repo has been linked 2 different CVEs too.

cPanel/WHM CVE auditor & patcher — May 2026 batch, zero dependencies.

Shell

Updated: 1 month, 1 week ago
2 stars 0 fork 0 watcher
Born at : May 24, 2026, 9:31 a.m. This repo has been linked 8 different CVEs too.

Tracking the nginx CVE-2026-9256 rewrite-module heap overflow

nginx security

Shell Makefile Nix CSS HTML

Updated: 1 month, 1 week ago
0 stars 0 fork 0 watcher
Born at : May 24, 2026, 2:43 a.m. This repo has been linked 1 different CVEs too.

None

Updated: 1 week, 3 days ago
1 stars 0 fork 0 watcher
Born at : April 3, 2026, 10:56 a.m. This repo has been linked 1 different CVEs too.

WNMP One‑Click Stack | WebDAV · Nginx · PHP · MariaDB · Kernel Tuning

Shell HTML

Updated: 2 weeks ago
25 stars 4 fork 4 watcher
Born at : Dec. 7, 2025, 11:39 p.m. This repo has been linked 10 different CVEs too.

DSA and DLA for Debian last 14 days

Python

Updated: 3 weeks, 5 days ago
0 stars 1 fork 1 watcher
Born at : Feb. 12, 2025, 2:08 p.m. This repo has been linked 1048 different CVEs too.

一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.

Updated: 1 week, 2 days ago
172 stars 24 fork 24 watcher
Born at : Jan. 5, 2023, 2:19 a.m. This repo has been linked 258 different CVEs too.

SecDB - Security Feeds

cve security-feeds vulnerability

Updated: 1 week, 4 days ago
0 stars 0 fork 0 watcher
Born at : July 1, 2022, 8:37 p.m. This repo has been linked 126 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-9256 vulnerability anywhere in the article.

  • CybersecurityNews
Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now!

A newly disclosed flaw in one of the world’s most widely deployed web servers is forcing administrators into another emergency patch cycle. Tracked as CVE-2026-9256 and publicly nicknamed nginx-poolsl ... Read more

Published Date: May 23, 2026 (1 month, 1 week ago)

The following table lists the changes that have been made to the CVE-2026-9256 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jun. 16, 2026

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:* versions from (including) r32 up to (including) r36 *cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* versions from (including) 0.1.17 up to (including) 0.9.7 *cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* versions from (including) 1.0.0 up to (including) 1.30.1 *cpe:2.3:a:f5:nginx_open_source:1.31.0:*:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:* versions from (including) 37.0.0 up to (excluding) 37.0.1.1
    Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/05/22/14 Types: Mailing List, Third Party Advisory
    Added Reference Type F5 Networks: https://my.f5.com/manage/s/article/K000161377 Types: Mitigation, Vendor Advisory
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    May. 23, 2026

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2026/05/22/14
  • New CVE Received by [email protected]

    May. 22, 2026

    Action Type Old Value New Value
    Added Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    Added CVSS V4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-122
    Added Reference https://my.f5.com/manage/s/article/K000161377
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.