CVE-2026-9256 is a heap-based buffer overflow in NGINX Open Source and NGINX Plus within ngx_http_rewrite_module, specifically in rewrite processing involving overlapping PCRE capture groups. The issue occurs when a rewrite directive uses distinct overlapping captures, such as ^/((.*))$, and a replacement string references multiple such captures, such as $1$2, in a redirect or arguments/query-string context. Supporting analysis indicates the root cause is incorrect buffer size calculation during rewrite script processing in ngx_http_script_regex_start_code() in src/http/ngx_http_script.c: NGINX underestimates the space required for URI-escaped output by budgeting escaping once for the whole URI while later copying overlapping captures in a way that can escape overlapping bytes multiple times. This mismatch can cause writes past the end of a heap buffer in the worker process. Additional analysis also notes that the resulting overrun can influence data later used in the Location header path, creating an information disclosure primitive alongside the memory corruption.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).
Repository is a compact, self-contained exploit lab for chaining two nginx rewrite-engine vulnerabilities into ASLR-independent remote command execution against stock official nginx:1.30.0. Structure is simple: README.md documents the chain and usage; nginx.conf defines the intentionally vulnerable target configuration; run.sh launches a Dockerized nginx lab and a slow local upstream; exp_official.py performs the exploit. The main exploit logic is in exp_official.py. It first abuses the /search rewrite path to trigger the PoolSlip over-read and recover leaked heap/libc pointers from the reflected degraded search response. It then computes libc base, heap base, and libc system(). Next it uses repeated POST requests to /api/upload to spray heap chunks containing fake cleanup records and a command buffer. It opens and times multiple TCP connections to groom nginx connection pools, then sends a crafted GET to /api/v1/... to trigger the rift overflow and partially overwrite the low 2 bytes of a limit_conn cleanup pointer with URL-safe bytes only. Finally, by closing/freeing connections in a controlled order, nginx walks the corrupted cleanup list during pool destruction and invokes system(cmd). The exploit is operational rather than a mere PoC: it contains full leak, address derivation, heap spray, grooming, overwrite, and trigger stages, with a user-supplied command via --cmd. It is not framework-based. The target is specifically nginx OSS on Linux, demonstrated on Debian/glibc 2.41 in the official nginx:1.30.0 container. Fingerprintable target routes are /search, /lookup, /api/v1, /api/upload, and /healthz, with local upstreams at 127.0.0.1:8080 and 127.0.0.1:9200 in the lab.
This repository is a small standalone proof-of-concept for CVE-2026-9256, described as an Nginx heap buffer overflow. It contains four files: a minimal README, a docker-compose file to launch a reproducible Nginx 1.30.1 environment, a custom nginx.conf that defines the suspected vulnerable rewrite behavior, and a Python PoC script. The exploit logic is entirely in poc.py. The script targets http://localhost:8080 and sends crafted GET requests with paths made of repeated '+' characters. In leak_heap(), it sends a shorter payload, disables redirect following, and inspects the returned Location header for hexadecimal values matching pointer patterns (0x...). In crash(), it sends a larger payload intended to trigger a crash, treating request failure/exception as success. The nginx.conf is central to the exploit setup: requests to '/' are rewritten using the regex ^/((.*))$ into /redirect/$1$2? with an HTTP redirect, which may cause malformed handling of attacker-controlled URI data and expose memory contents in the redirect header or trigger memory corruption. Overall, this is a network/web-targeted PoC for local reproduction and validation of information disclosure and denial-of-service behavior, not a full weaponized exploit and not tied to a larger exploitation framework.
This repository is a real exploit/PoC set for a heap buffer overflow in nginx's ngx_http_rewrite_module caused by undercounting escaped output size when nested overlapping regex capture groups are referenced multiple times in a static rewrite target. The repo is small and purpose-built: three Python PoCs (heap_leak.py, libc_leak.py, crash_verify.py), a Docker lab environment under env/, and a detailed README explaining root cause, trigger conditions, and expected results. Exploit capability is staged rather than full end-to-end RCE. Stage 1 (heap_leak.py) sends crafted HTTP GET requests to /echo/%25...A and parses reflected query output to recover heap pointers from ngx_http_script_engine_t fields such as e->ip, e->sp, and e->request. Stage 2 (libc_leak.py) targets /leak2/%25...A and relies on proxy_pass plus add_header to surface raw overflow bytes in the X-Leak-Y response header, scanning for a 0x7f... pointer consistent with a libc-region address; this requires ASLR to be disabled for reliability. Stage 3 (crash_verify.py) targets /leak9/ with a deeply nested capture pattern and a controlled number of encoded '+' characters to produce a larger overflow that corrupts heap metadata and crashes the nginx worker, confirming DoS. The included nginx.conf is central to the exploitability: it defines the vulnerable rewrite routes, an internal backend on 127.0.0.1:19322 for the proxy_pass leak stage, and tuning such as request_pool_size 7920 to make the overwrite deterministic. The Dockerfile and compose file create a reproducible lab based on nginx:1.31.0, exposing port 19321 and optionally allowing ASLR-disabled execution via setarch in entrypoint_aslr_off.sh. Overall, this is an operational exploit lab demonstrating unauthenticated remote web-triggered memory corruption in nginx, with practical primitives for heap disclosure, libc-range disclosure, and worker crash/DoS. It does not include a final shell or command-execution payload, but it clearly aims to support exploit development toward code execution under favorable memory-layout conditions.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
49 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical heap buffer overflow in nginx's rewrite engine fast path where escape-space budgeting undercounts buffer requirements when nested capture groups with overlapping positional references are used, potentially enabling RCE or denial of service in specific configurations.
A vulnerability addressed by cPanel in ea-nginx and ea-nginx-passenger, with fixes referenced in the ea-nginx v1.31.1 security release.
A heap-based buffer overflow in the NGINX ngx_http_rewrite_module caused by incorrect buffer size calculation for overlapping PCRE capture groups during URI escaping in rewrite directives. It can crash worker processes and may enable remote code execution via heap corruption and information disclosure.
A critical vulnerability in the NGINX ngx_http_rewrite_module affecting multiple NGINX and F5 products.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.