CVE-2026-9256

HIGH LAB

F5 NGINX Plus - NGINX ngx_http_rewrite_module Vulnerability

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2026-9256. PoCs published by friparia, y198nt, 06-ux.

AI-analyzed exploit summary This repository contains a scanner for detecting the CVE-2026-42945 vulnerability in NGINX configurations. It checks for specific rewrite and capture patterns that could lead to a heap buffer overflow.

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Exploits (6)

github SCANNER 33 stars
by friparia · pythonpoc
https://github.com/friparia/NGINX_RIFT_SCAN_CVE_2026_42945

This repository contains a scanner for detecting the CVE-2026-42945 vulnerability in NGINX configurations. It checks for specific rewrite and capture patterns that could lead to a heap buffer overflow.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: NGINX Open Source 0.6.27 through 1.30.0
No auth needed
Prerequisites: NGINX configuration file or access to NGINX -T command
devstral-2 · analyzed May 27, 2026 Full analysis →
github WORKING POC
by y198nt · pythonpoc
https://github.com/y198nt/Nginx-chain-Rift-Poolslip

This repository contains a functional exploit for CVE-2026-9256, demonstrating an ASLR-independent remote code execution (RCE) chain targeting nginx 1.30.0. The exploit combines two vulnerabilities (PoolSlip and rift) to leak libc and heap addresses, then perform a partial overwrite of a cleanup pointer to achieve arbitrary command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: nginx 1.30.0
No auth needed
Prerequisites: Docker · Python 3 · curl · Linux x86-64
devstral-2 · analyzed Jun 05, 2026 Full analysis →
github WORKING POC
by 06-ux · pythonpoc
https://github.com/06-ux/CVE-2026-9256-POC

This repository contains a functional PoC for CVE-2026-9256, demonstrating a heap buffer overflow in Nginx 1.30.1 via crafted URI paths. The exploit includes heap pointer leakage and crash triggers, with a Docker setup for testing.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Nginx 1.30.1
No auth needed
Prerequisites: Nginx 1.30.1 with specific rewrite configuration
devstral-2 · analyzed Jun 03, 2026 Full analysis →
github WORKING POC
by 3nou9h · pythonpoc
https://github.com/3nou9h/CVE-2026-9256-Poc

This repository contains functional exploit code demonstrating a heap buffer overflow in nginx's ngx_http_rewrite_module (CVE-2026-9256). The PoC includes three stages: heap pointer leak, libc pointer leak, and a DoS crash via controlled overflow.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Complex
Reliability
Reliable
Target: nginx 1.31.0
No auth needed
Prerequisites: Docker · Python 3 · nginx with vulnerable configuration
devstral-2 · analyzed May 28, 2026 Full analysis →
github WORKING POC
by W5M1n9 · pythonpoc
https://github.com/W5M1n9/NGINX-ngx_http_rewrite_module-heap-buffer-overflow-CVE-2026-9256

This repository contains a functional PoC for CVE-2026-9256, a heap buffer overflow in the NGINX ngx_http_rewrite_module. The script sends a crafted request with a large number of '+' characters to trigger the vulnerability and verifies remote worker crashes via connection drops and keepalive probes.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: NGINX with vulnerable rewrite/capture handling
No auth needed
Prerequisites: NGINX with rewrite rules containing overlapping capture groups and multiple captured variables
devstral-2 · analyzed May 28, 2026 Full analysis →
github WRITEUP
by suominen · htmlpoc
https://github.com/suominen/CVE-2026-9256

This repository is a comprehensive technical analysis and tracking page for CVE-2026-9256, a heap buffer overflow vulnerability in nginx's ngx_http_rewrite_module. It includes detailed information on affected versions, distribution status, mitigation strategies, and verification steps.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: nginx (versions 0.1.17 through 1.31.0 and 1.30.1)
No auth needed
Prerequisites: nginx configuration with a rewrite directive using PCRE captures in a redirect or arguments context
devstral-2 · analyzed May 24, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.1
EPSS 0.0107
EPSS Percentile 60.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull nginx:1.31.0
docker pull nginx:1.30.1
+3 more repos

Details

CWE
CWE-122
Status published
Products (10)
F5/NGINX Open Source 0.1.17
F5/NGINX Open Source 0.1.17 - 0.9.7
F5/NGINX Open Source 1.30.0 - 1.30.2
F5/NGINX Open Source 1.31.0 - 1.31.1
F5/NGINX Plus 37.0 - 37.0.1.1
F5/NGINX Plus R32 - R32 P7
F5/NGINX Plus R36 - R36 P5
f5/nginx_open_source 1.31.0
f5/nginx_open_source 0.1.17 - 0.9.7
f5/nginx_plus 37.0.0 - 37.0.1.1
Published May 22, 2026
Tracked Since May 22, 2026