NGINX released versions 1.31.1 and 1.30.2 to fix CVE-2026-9256, a heap buffer overflow in ngx_http_rewrite_module that can be triggered by unauthenticated attackers with specially crafted HTTP requests. The flaw affects NGINX Open Source and NGINX Plus when rewrite directives use overlapping or nested PCRE capture groups and replacement strings that reference multiple captures in redirect or arguments contexts, creating memory corruption in the worker process. Successful exploitation can force worker restarts and denial of service, and may lead to arbitrary code execution if protections such as ASLR are absent or bypassed; NGINX described the issue as a data plane exposure with no control plane impact.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Researchers published an analysis of CVE-2026-9256 and CVE-2026-42945 using an open-source static scanner called ngxray to measure exposure in public GitHub nginx configurations. Their scan of 35,633 parseable configs found mostly proofs of concept and test cases, with one publicly available real configuration identified as vulnerable.
NGINX disclosed a buffer overflow vulnerability in ngx_http_rewrite_module, tracked as CVE-2026-9256, affecting NGINX Plus and NGINX Open Source when overlapping PCRE captures are used in certain rewrite directives. The issue was fixed in releases 1.31.1 and 1.30.2.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
malware.news
Open sourcecvefeed.io
Open sourceseclists.org
Open sourceopennet.me
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.