Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.4

NGINX: Malicious requests can cause a system crash or code execution

ALPINE-CVE-2026-9256
Summary

A security issue in NGINX's rewrite module can be exploited by sending specially crafted HTTP requests. This may cause the system to crash or allow an attacker to execute malicious code. If you're using NGINX, update to the latest version to ensure you have the fix.

What to do
  • Update nginx to version 1.28.3-r2.
Affected software
Ecosystem VendorProductAffected versions
Alpine:v3.22 nginx < 1.28.3-r2
Fix: upgrade to 1.28.3-r2
Alpine:v3.23 nginx < 1.28.3-r2
Fix: upgrade to 1.28.3-r2
Original title
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-...
Original description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
osv CVSS4.0 9.4
Published: 22 May 2026 · Updated: 23 May 2026 · First seen: 23 May 2026