{"uuid": "982537a1-038e-4083-89d2-d75c9fe27e15", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9256", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/116620003808518966", "content": "Another vuln in NGINX rewriting. Looks pretty similar to the last one. Requires ASLR bypass or disabled for RCE.\nhttps://my.f5.com/manage/s/article/K000161377\n\nNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, /((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. (CVE-2026-9256)", "creation_timestamp": "2026-05-22T20:00:39.688281Z"}