Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ?

Reply: Fernando_Apesteguía : "Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ?"
In reply to: Arnaud de Prelle : "nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Martin Simmons <martin_at_lispworks.com>
Date: Mon, 01 Jun 2026 14:26:22 UTC

[fernape@ added]

>>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said:
> 
> Hi,
> 
> As per
> - https://www.freshports.org/www/nginx/ and
> - 
> https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
> CVE-2026-9256 should be fixed since nginx 1.30.2,3.

The contents of this URL was stale -- the VuXML now says nginx < 1.31.1,3
(since yesterday), which explains why pkg audit is detecting it.

> I'm using the latest version of nginx:
> # pkg info nginx | grep Version
> Version        : 1.30.2_2,3
> 
> But pkg audit -F reports this port as vulnerable to CVE-2026-9256:
> # pkg audit -F
> vulnxml file up-to-date
> nginx-1.30.2_2,3 is vulnerable:
>    nginx -- heap buffer overflow in ngx_http_rewrite_module
>    CVE: CVE-2026-9256
>    WWW: 
> https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
> 
> Am I missing something ?

The VuXML looks wrong to me now.

nginx released both 1.30.2 and 1.31.1 to fix this CVE
(https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES).

__Martin