SB2026052504 - Fedora 44 update for nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-js-challenge, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts

Description

This security bulletin contains information about 1 vulnerability.

1) Heap-based buffer overflow (CVE-ID: CVE-2026-9256)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to heap-based buffer overflow in ngx_http_rewrite_module when processing crafted HTTP requests that trigger rewrite directives using overlapping PCRE captures and multiple capture references in a redirect or arguments context. A remote attacker can send crafted HTTP requests to execute arbitrary code or crash the web server.

There is no control plane exposure; this is a data plane issue only. Code execution is possible on systems with ASLR disabled or when ASLR can be bypassed.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2026-da68d7bf53