{"schema_version":"1.0","report_url":"https://aretiq.ai/research/vul260525-cve-2026-9256-nginx-ngx-http-rewrite-module-overlapping-pcre-captures-heap-buffer-overflow-rce/","date":"2026-05-25","last_modified":"2026-05-25","cve":"CVE-2026-9256","title":"CVE-2026-9256 — NGINX ngx_http_rewrite_module Overlapping PCRE Captures Heap Buffer Overflow RCE","vulnerability_name":"NGINX ngx_http_rewrite_module Overlapping PCRE Captures Heap Buffer Overflow RCE","vendor":"F5","product":"NGINX","component":"ngx_http_rewrite_module","binary":"nginx","impact":"RCE","cwe":["CWE-122","CWE-131","CWE-126"],"severity":{"cvss_v4_score":9.2,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},"attack_vector":"Network","patch_kb":"N/A","poc_verified":true,"poc_download":"https://aretiq.ai/downloads/","tags":["cve-2026-9256","nginx","rewrite","pcre","heap-overflow","rce","info-disclosure"],"summary":"1. Overview A heap buffer overflow vulnerability exists in the NGINX ngx_http_rewrite_module when processing rewrite directives that use overlapping Perl-Compatible Regular Expression (PCRE) capture groups with a redirect or query-string replacement. When a rewrite rule like ^/((.*))$ produces multiple captures referencing the same URI content and the replacement string references both captures (e.g., $1$2), the buffer allocation underestimates the space needed for URI-escaped output, leading to a heap overflow in the worker process. An unauthenticated remote attacker can send crafted HTTP requests containing URI characters that require escaping (such as +) to crash the NGINX worker process or potentially achieve remote code execution. The vulnerability provides both a controlled heap write primitive and an information disclosure primitive — the overflow causes adjacent heap data (including pool pointers) to leak into the HTTP response, enabling ASLR bypass. Combined with the attacker-controlled overflow content and nginx’s deterministic pool allocator, this creates a viable path to code execution. F5/NGINX addressed this vulnerability in nginx 1.31.1 (mainline) and 1.30.2 (stable), released May 22, 2026.\n"}