nginx 1.30.2 and 1.31.1 patch CVE-2026-9256, a buffer overflow in ngx_http_rewrite_module. The advisory went out on oss-security on May 22, 2026. Affected versions span from 0.1.17 to 1.31.0 -- which covers essentially every nginx installation that has not been updated in the last few days.

What the bug is

ngx_http_rewrite_module parses rewrite directives and URL transformation rules from your nginx configuration. CVE-2026-9256 is a buffer overflow in that parser.

The upstream advisory classifies this as Medium severity. nginx's own team does not often use that label for issues that are straightforward to reach remotely, so the "Medium" here likely reflects limited attack surface -- you probably need write access to nginx configuration, or some other foothold, to trigger this remotely. The exact exploitation path is not yet fully documented publicly.

That said: buffer overflows have a history of being reassessed upward once PoC code circulates. The gap between "Medium" and "we should patch this" is not as wide as it sounds.

Versions and fixes

  • Affected: nginx 0.1.17 through 1.31.0
  • Fixed stable branch: 1.30.2
  • Fixed mainline branch: 1.31.1
# Check current version
nginx -v
 
# Debian/Ubuntu -- Debian packages expected shortly
apt-get update && apt-get install nginx
 
# If using nginx.org packages directly
# Update from nginx.org stable or mainline repo

Distribution packages for Debian and Ubuntu were expected to follow the oss-security announcement on May 22. Check your package manager -- if you are still on pre-1.30.2 stable, you have a decision to make about whether this waits for the next maintenance window.

My read: patch at the next window unless you have reason to believe configuration writes are available to an untrusted party, in which case the window just moved to tonight.

Sources: nginx security advisories; F5/nginx advisory K000161377; oss-security announcement