Full Report
F5 security advisory (AV26-501)
Analysis Summary
# Vulnerability: NGINX Rewrite Module Memory Corruption
## CVE Details
- **CVE ID:** CVE-2026-9256
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) / CWE-787 (Out-of-bounds Write)
## Affected Systems
- **Products:**
- NGINX Plus
- NGINX Open Source
- NGINX Instance Manager
- F5 WAF for NGINX
- NGINX App Protect WAF
- F5 DoS for NGINX
- NGINX App Protect DoS
- NGINX Gateway Fabric
- NGINX Ingress Controller
- **Versions:**
- NGINX Instance Manager: 2.17.0 to 2.22.0
- F5 WAF for NGINX: 5.9.0 to 5.13.0
- NGINX App Protect DoS: 4.3.0 to 4.7.0
- F5 DoS for NGINX: 4.9.0
- *Note: Multiple versions affected for Open Source, Plus, Gateway Fabric, and Ingress Controller; refer to vendor documentation for full version parity.*
- **Configurations:** Systems utilizing the `ngx_http_rewrite_module` with specific rewrite rules processing untrusted input.
## Vulnerability Description
A critical heap-based buffer overflow vulnerability exists in the NGINX `ngx_http_rewrite_module`. The flaw is triggered when the module processes specially crafted requests against specific rewrite or redirection rules. Due to improper validation of the length of input data before copying it to a memory buffer, an attacker can cause memory corruption. This can lead to a crash (Denial of Service) or potential arbitrary code execution in the context of the NGINX worker process.
## Exploitation
- **Status:** Not exploited in the wild (at time of advisory)
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential for memory exposure or code execution)
- **Integrity:** High (Potential for unauthorized modification of data)
- **Availability:** High (Critical; leads to service crashes)
## Remediation
### Patches
F5 recommends upgrading to the following versions (or later) to resolve the issue:
- **NGINX Instance Manager:** Upgrade to 2.23.0
- **F5 WAF for NGINX:** Upgrade to 5.14.0
- **NGINX App Protect DoS:** Upgrade to 4.8.0
- **F5 DoS for NGINX:** Upgrade to 4.10.0
- *Consult the specific F5 security advisory for patch levels regarding NGINX Open Source and Plus mainline/stable branches.*
### Workarounds
- Disable the `ngx_http_rewrite_module` if its functionality is not essential for the environment.
- Review and sanitize rewrite rules to ensure they do not process unvalidated headers or URI components from untrusted sources.
## Detection
- **Indicators of Compromise:** Unusual NGINX worker process crashes (Segmentation Faults) recorded in error logs.
- **Detection methods:** Use vulnerability scanners to check for the NGINX version string. Review configuration files for heavy use of complex regex in `rewrite` or `return` directives.
## References
- [K000161377: NGINX ngx_http_rewrite_module vulnerability CVE-2026-9256] hxxps[://]my[.]f5[.]com/manage/s/article/K000161377
- [F5 Security Advisories Portal] hxxps[://]my[.]f5[.]com/manage/s/new-updated-articles#f-f5_document_type=Security%20Advisory
- [Canadian Centre for Cyber Security Advisory (AV26-501)] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/f5-security-advisory-av26-501