NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

nginx nginx-CVE-2026-9256.html: Buffer overflow in the ngx_http_rewrite_module

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2370-1 advisory.

    This update for nginx fixes the following issues

    - CVE-2026-9256: heap buffer overflow in the `ngx_http_rewrite_module` when using a configuration with     overlapping       captures (bsc#1266215).
    - CVE-2026-27651: denial of service via undisclosed requests when the `ngx_mail_auth_http_module` is     enabled       (bsc#1260415).
    - CVE-2026-32647: NGINX worker memory over-read or over-write via a specially crafted MP4 file     (bsc#1260420).
    - CVE-2026-40701: heap use-after-free in the worker process when the `ssl_verify_client` and the     `ssl_ocsp` directives       are set due to issue in the `ngx_http_ssl_module` module (bsc#1265229).
    - CVE-2026-42934: heap buffer overread in the worker process due to issue in the `ngx_http_charset_module`     module       (bsc#1265231).
    - CVE-2026-42945: heap buffer overflow via crafted HTTP requests due to issue in `ngx_http_rewrite_module`       (bsc#1265232).
    - CVE-2026-42946: excessive memory allocation and data overread due to issue in the `ngx_http_scgi_module`     and       `ngx_http_uwsgi_module` modules (bsc#1265233).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:2307-1 advisory.

    This update for nginx fixes the following issue

    - CVE-2026-9256: heap buffer overflow in the `ngx_http_rewrite_module` when using a configuration with     overlapping       captures (bsc#1266215).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1773 advisory.

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This     vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-     Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that     references multiple such captures (for example, $1$2) in a redirect or arguments context. An     unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by     sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading     to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization     (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of     Technical Support (EoTS) are not evaluated. (CVE-2026-9256)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of nginx installed on the remote host is prior to 1.30.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2NGINX1-2026-013 advisory.

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This     vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-     Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that     references multiple such captures (for example, $1$2) in a redirect or arguments context. An     unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by     sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading     to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization     (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of     Technical Support (EoTS) are not evaluated. (CVE-2026-9256)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0398 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2026-9256:
    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This     vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-     Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that     references multiple such captures (for example, $1$2) in a redirect or arguments context. An     unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by     sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading     to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization     (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of     Technical Support (EoTS) are not evaluated.

    CVE-2026-40701:
    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_modulemodule when the     ssl_verify_clientdirective is set to on or optional, and the ssl_ocspdirective is set to on or     the leafparameters are configured with a resolver. With this configuration, an unauthenticated attacker     can send requests along with conditions beyond its control that may cause a heap-use-after-free error in     the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX     worker process restarting.



    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6326 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6326-1                   security@debian.org     https://www.debian.org/security/                     Salvatore Bonaccorso     June 07, 2026                         https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : nginx     CVE ID         : CVE-2026-9256 CVE-2026-42946     Debian Bug     : 1138794

    Multiple vulnerabilities were discoverd in Nginx, a high-performance web     and reverse proxy server, which could result in remote code execution,     denial of service or memory disclosure.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 1.22.1-9+deb12u8.

    For the stable distribution (trixie), these problems have been fixed in     version 1.26.3-3+deb13u6.

    We recommend that you upgrade your nginx packages.

    For the detailed security status of nginx please refer to its security     tracker page at:
    https://security-tracker.debian.org/tracker/nginx

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8375-1 advisory.

    It was discovered that the nginx ngx_mail_smtp_module module incorrectly handled certain memory operations     when doing SMTP authentication. This could possibly result in sensitive information being sent to the     authentication server. (CVE-2025-53859)

    It was discovered that nginx incorrectly handled proxying to upstream TLS servers. An attacker could     possibly use this issue to insert plain text data into the response from an upstream proxied server.
    (CVE-2026-1642)

    It was discovered that the nginx ngx_mail_auth_http_module module incorrectly handled certain requests. An     attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service.
    (CVE-2026-27651)

    It was discovered that the nginx ngx_http_dav_module module incorrectly handled certain destination URIs.
    An attacker could use this issue to cause nginx to crash, resulting in a denial of service, or possibly     modify source or destination names outside of the document root. (CVE-2026-27654)

    It was discovered that the nginx ngx_http_mp4_module module incorrectly handled certain MP4 files. An     attacker could use this issue to cause nginx to crash, resulting in a denial of service, or possibly     execute arbitrary code. (CVE-2026-27784, CVE-2026-32647)

    It was discovered that the nginx ngx_mail_smtp_module module incorrectly handled certain CRLF sequences.
    An attacker could possibly use this issue to inject arbitrary SMTP headers. (CVE-2026-28753)

    It was discovered that nginx contained a use-after-free vulnerability in the ngx_http_ssl_module module     when client certificate verification and OCSP validation were enabled. A remote attacker could use this     issue to cause nginx to crash, resulting in a denial of service, or possibly modify data in memory.
    (CVE-2026-40701)

    It was discovered that nginx did not properly handle certain proxied responses in the     ngx_http_charset_module module. A remote attacker could possibly use this issue to obtain sensitive     information or cause nginx to crash, resulting in a denial of service. (CVE-2026-42934)

    It was discovered that the nginx ngx_http_rewrite_module component incorrectly handled certain rewrite     directives. A remote attacker could use this issue to cause nginx to crash, resulting in a denial of     service, or possibly execute arbitrary code. (CVE-2026-42945)

    It was discovered that nginx did not properly process certain SCGI and uWSGI responses. An attacker able     to perform a machine-in-the-middle attack could possibly use this issue to obtain sensitive information or     cause nginx to crash, resulting in a denial of service. (CVE-2026-42946)

    It was discovered that nginx incorrectly handled certain rewrite rules in the ngx_http_rewrite_module     module. A remote attacker could use this issue to cause nginx to crash, resulting in a denial of service,     or possibly execute arbitrary code. (CVE-2026-9256)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8354-1 advisory.

    It was discovered that nginx did not properly validate source addresses in the HTTP/3 QUIC module. A     remote attacker could possibly use this issue to bypass authorization checks or rate limiting. This issue     only affected Ubuntu 25.04 and Ubuntu 25.10. (CVE-2026-40460)

    It was discovered that nginx contained a use-after-free vulnerability in the ngx_http_ssl_module module     when client certificate verification and OCSP validation were enabled. A remote attacker could use this     issue to cause nginx to crash, resulting in a denial of service, or possibly modify data in memory.
    (CVE-2026-40701)

    It was discovered that nginx did not properly handle certain proxied responses in the     ngx_http_charset_module module. A remote attacker could possibly use this issue to obtain sensitive     information or cause nginx to crash, resulting in a denial of service. (CVE-2026-42934)

    It was discovered that nginx did not properly process certain SCGI and uWSGI responses. An attacker able     to perform a machine-in-the-middle attack could possibly use this issue to obtain sensitive information or     cause nginx to crash, resulting in a denial of service. (CVE-2026-42946)

    It was discovered that nginx incorrectly handled certain rewrite rules in the ngx_http_rewrite_module     module. A remote attacker could use this issue to cause nginx to crash, resulting in a denial of service,     or possibly execute arbitrary code. (CVE-2026-9256)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-dd9cd16b18 advisory.

    nginx-mod-brotli:

    - Rebuild for 1.30.2

    nginx-mod-fancyindex:

    - Rebuild for 1.30.2

    nginx-mod-naxsi:

    - Rebuild for 1.30.2

    nginx-mod-headers-more:

    - Rebuild for 1.30.2

    nginx-mod-vts:

    - Rebuild for 1.30.2

    nginx-mod-modsecurity:

    - Rebuild for 1.30.2

    nginx:

    - update to 1.30.2
    - fixes CVE-2026-9256






Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-da68d7bf53 advisory.

    nginx-mod-headers-more:

    - Rebuild for 1.30.2

    nginx-mod-vts:

    - Rebuild for 1.30.2

    nginx-mod-fancyindex:

    - Rebuild for 1.30.2

    nginx-mod-brotli:

    - Rebuild for 1.30.2

    nginx-mod-naxsi:

    - Rebuild for 1.30.2

    nginx-mod-js-challenge:

    - Rebuild for 1.30.2

    nginx-mod-modsecurity:

    - Rebuild for 1.30.2

    nginx:

    - update to 1.30.2
    - fixes CVE-2026-9256





Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its Server response header, the installed version of nginx is prior to 1.30.2 or 1.31.0. It is, therefore, affected by a buffer overflow in ngx_http_rewrite_module module.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 36a3131d-5600-11f1-b339-3497f65b111b advisory.

    The nginx developers report:

           A heap memory buffer overflow might occur in a worker process            when using a configuration with overlapping captures in            ngx_http_rewrite_module, potentially resulting in arbitrary            code execution (CVE-2026-9256).


Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This     vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-     Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that     references multiple such captures (for example, $1$2) in a redirect or arguments context. An     unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by     sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading     to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization     (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of     Technical Support (EoTS) are not evaluated. (CVE-2026-9256)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
321057	SUSE SLES15 Security Update : nginx (SUSE-SU-2026:2370-1)	Nessus	SuSE Local Security Checks	critical
321031	SUSE SLES15 Security Update : nginx (SUSE-SU-2026:2307-1)	Nessus	SuSE Local Security Checks	critical
319859	Amazon Linux 2023 : nginx, nginx-all-modules, nginx-core (ALAS2023-2026-1773)	Nessus	Amazon Linux Local Security Checks	critical
319833	Amazon Linux 2 : nginx, --advisory ALAS2NGINX1-2026-013 (ALASNGINX1-2026-013)	Nessus	Amazon Linux Local Security Checks	critical
319760	TencentOS Server 4: nginx (TSSA-2026:0398)	Nessus	Tencent Local Security Checks	critical
319632	Debian dsa-6326 : libnginx-mod-http-geoip - security update	Nessus	Debian Local Security Checks	critical
318631	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS : nginx vulnerabilities (USN-8375-1)	Nessus	Ubuntu Local Security Checks	critical
318250	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : nginx vulnerabilities (USN-8354-1)	Nessus	Ubuntu Local Security Checks	critical
318137	Fedora 43 : nginx / nginx-mod-brotli / nginx-mod-fancyindex / etc (2026-dd9cd16b18)	Nessus	Fedora Local Security Checks	critical
317368	Fedora 44 : nginx / nginx-mod-brotli / nginx-mod-fancyindex / etc (2026-da68d7bf53)	Nessus	Fedora Local Security Checks	critical
115255	Nginx < 1.30.2 Buffer Overflow	Web App Scanning	Component Vulnerability	critical
115254	Nginx 1.31.0 Buffer Overflow	Web App Scanning	Component Vulnerability	critical
316660	FreeBSD : nginx -- heap buffer overflow in ngx_http_rewrite_module (36a3131d-5600-11f1-b339-3497f65b111b)	Nessus	FreeBSD Local Security Checks	critical
316569	Linux Distros Unpatched Vulnerability : CVE-2026-9256	Nessus	Misc.	critical

Detections

Analytics

CVE-2026-9256

critical

Tenable Plugins

Coming Soon

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical