new file mode 100644
@@ -0,0 +1,63 @@
+From 3f135ae2eb60ce376196c898a6c7cb4d774f7068 Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Thu, 22 May 2026 00:00:00 +0400
+Subject: [PATCH] Rewrite: fix buffer overflow with overlapping captures.
+
+A heap memory buffer overflow might occur in a worker process when using a
+configuration with overlapping captures in ngx_http_rewrite_module,
+potentially resulting in arbitrary code execution.
+
+When calculating the buffer length for a rewrite replacement with static
+length (code->lengths == NULL), the code incorrectly used r->uri.data and
+r->uri.len for the escape size calculation across all captures, instead of
+using the actual capture offsets into the captures data. This could allow
+overlapping captures to cause a heap buffer overflow.
+
+Reported by Mufeed VH of Winfunc Research.
+
+CVE: CVE-2026-9256
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068]
+Signed-off-by: Roman Arutyunyan <arut@nginx.com>
+---
+ src/http/ngx_http_script.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
+--- a/src/http/ngx_http_script.c
++++ b/src/http/ngx_http_script.c
+@@ -1037,6 +1037,8 @@ ngx_http_script_start_args_code(ngx_http_script_engine_t *e)
+ void
+ ngx_http_script_regex_start_code(ngx_http_script_engine_t *e)
+ {
++ int *cap;
++ u_char *p;
+ size_t len;
+ ngx_int_t rc;
+ ngx_uint_t n;
+@@ -1143,15 +1145,19 @@ ngx_http_script_regex_start_code(ngx_http_script_engine_t *e)
+ if (code->lengths == NULL) {
+ e->buf.len = code->size;
+
+- if (code->uri) {
+- if (r->ncaptures && (r->quoted_uri || r->plus_in_uri)) {
+- e->buf.len += 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len,
+- NGX_ESCAPE_ARGS);
+- }
+- }
++ cap = r->captures;
++ p = r->captures_data;
+
+ for (n = 2; n < r->ncaptures; n += 2) {
+- e->buf.len += r->captures[n + 1] - r->captures[n];
++ e->buf.len += cap[n + 1] - cap[n];
++
++ if (code->uri) {
++ if (r->quoted_uri || r->plus_in_uri) {
++ e->buf.len += 2 * ngx_escape_uri(NULL, &p[cap[n]],
++ cap[n + 1] - cap[n],
++ NGX_ESCAPE_ARGS);
++ }
++ }
+ }
+
+ } else {
@@ -10,6 +10,7 @@ SRC_URI:append = " \
file://CVE-2026-28753.patch \
file://CVE-2026-32647.patch \
file://CVE-2026-42945.patch \
+ file://CVE-2026-9256.patch \
"
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
A heap memory buffer overflow might occur in a worker process when using a configuration with overlapping captures in ngx_http_rewrite_module, potentially resulting in arbitrary code execution. The buffer length calculation for static-length rewrite replacements incorrectly used r->uri.data/r->uri.len for escape-size accounting across all captures instead of the actual per-capture offsets into r->captures_data. This allowed overlapping captures to exceed the allocated buffer. Fix by iterating captures using the captures[] offsets into captures_data rather than the full URI string. Upstream-Status: Backport [https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068] CVE: CVE-2026-9256 Signed-off-by: Nelson Garcia <nelson831002@gmail.com> --- .../nginx/nginx-1.24.0/CVE-2026-9256.patch | 63 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-9256.patch