[CLSA-2026:1779812792] Fix CVE(s): CVE-2026-9256

Type:

security

Severity:

Important

Release date:

2026-05-26 20:41:54 UTC

Description:

   * SECURITY UPDATE: heap buffer overflow in ngx_http_rewrite_module with
     overlapping captures in the rewrite replacement string
     - debian/patches/CVE-2026-9256.patch: account for per-capture escaping
       inside the length loop in ngx_http_script_regex_start_code(), reset
       e->is_args on rewrite start, and propagate is_args to complex value
       length calculation in src/http/ngx_http_script.c
     - CVE-2026-9256

Updated packages:

nginx1.27_1.27.5-1~bookworm+tuxcare.els5_amd64.deb
sha:ce022fead60b47f6b3d7813a4ff3c3875b9bac76
nginx1.27_1.27.5-1~bookworm+tuxcare.els5_arm64.deb
sha:ddd32a2036973fa50ed0c3d1c0ed3596661dcf62

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.