https://aretiq.ai/tags/heap-overflow/Recent content in Heap-Overflow on Aretiq AIHugoen-usMon, 25 May 2026 00:00:00 +0000https://aretiq.ai/research/vul260525-cve-2026-9256-nginx-ngx-http-rewrite-module-overlapping-pcre-captures-heap-buffer-overflow-rce/Mon, 25 May 2026 00:00:00 +0000https://aretiq.ai/research/vul260525-cve-2026-9256-nginx-ngx-http-rewrite-module-overlapping-pcre-captures-heap-buffer-overflow-rce/<h2 id="1-overview">1. Overview</h2> <p>A heap buffer overflow vulnerability exists in the NGINX <code>ngx_http_rewrite_module</code> when processing rewrite directives that use overlapping Perl-Compatible Regular Expression (PCRE) capture groups with a redirect or query-string replacement. When a rewrite rule like <code>^/((.*))$</code> produces multiple captures referencing the same URI content and the replacement string references both captures (e.g., <code>$1$2</code>), the buffer allocation underestimates the space needed for URI-escaped output, leading to a heap overflow in the worker process. An unauthenticated remote attacker can send crafted HTTP requests containing URI characters that require escaping (such as <code>+</code>) to crash the NGINX worker process or potentially achieve remote code execution. The vulnerability provides both a controlled heap write primitive and an information disclosure primitive — the overflow causes adjacent heap data (including pool pointers) to leak into the HTTP response, enabling ASLR bypass. Combined with the attacker-controlled overflow content and nginx&rsquo;s deterministic pool allocator, this creates a viable path to code execution. F5/NGINX addressed this vulnerability in nginx 1.31.1 (mainline) and 1.30.2 (stable), released May 22, 2026.</p>