nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ?

Reply: Martin Simmons : "Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Arnaud de Prelle <arnaud_at_pnzone.net>
Date: Sun, 31 May 2026 20:01:11 UTC

Hi,

As per
- https://www.freshports.org/www/nginx/ and
- 
https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
CVE-2026-9256 should be fixed since nginx 1.30.2,3.

I'm using the latest version of nginx:
# pkg info nginx | grep Version
Version        : 1.30.2_2,3

But pkg audit -F reports this port as vulnerable to CVE-2026-9256:
# pkg audit -F
vulnxml file up-to-date
nginx-1.30.2_2,3 is vulnerable:
   nginx -- heap buffer overflow in ngx_http_rewrite_module
   CVE: CVE-2026-9256
   WWW: 
https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html

Am I missing something ?

Thanks,
Arnaud.