[CLSA-2026:1779808405] Fix CVE(s): CVE-2026-9256

Type:

security

Severity:

Important

Release date:

2026-05-26 15:13:38 UTC

Description:

   * SECURITY UPDATE: heap buffer overflow in ngx_http_rewrite_module with
     overlapping captures in the rewrite replacement string
     - debian/patches/CVE-2026-9256.patch: account for per-capture escaping
       inside the length loop in ngx_http_script_regex_start_code(), reset
       e->is_args on rewrite start, and propagate is_args to complex value
       length calculation in src/http/ngx_http_script.c
     - CVE-2026-9256

Updated packages:

nginx1.27_1.27.5-1~trixie+tuxcare.els5_amd64.deb
sha:aa391f6b2ac3c9acb2af53e65fdf8dc72938f13a
nginx1.27_1.27.5-1~trixie+tuxcare.els5_arm64.deb
sha:fe839de6e24f899ac8dd219e9ca85e0cc0583069

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.