DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27654: CVE-2026-27654: Heap-based Buffer Overflow in NGINX ngx_http_dav_module via Integer Underflow

#security #cve #cybersecurity

CVE-2026-27654: Heap-based Buffer Overflow in NGINX ngx_http_dav_module via Integer Underflow

Vulnerability ID: CVE-2026-27654
CVSS Score: 8.2
Published: 2026-03-24

CVE-2026-27654 is a critical vulnerability in the NGINX Open Source and NGINX Plus ngx_http_dav_module. An integer underflow in the processing of WebDAV COPY and MOVE requests triggers a heap-based buffer overflow. This flaw enables denial of service via worker process termination and arbitrary file manipulation outside the document root.

TL;DR

Integer underflow in NGINX WebDAV module allows unauthenticated attackers to trigger a heap overflow via crafted COPY/MOVE requests, leading to DoS or arbitrary file read/write.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-122, CWE-191
  • Attack Vector: Network
  • CVSS Score: 8.2 (HIGH)
  • EPSS Score: 0.00034 (9.88%)
  • Impact: Denial of Service, Arbitrary File Read/Write
  • Exploit Status: PoC Available
  • CISA KEV: Not Listed

Affected Systems

  • NGINX Open Source 0.5.13 - 0.9.7
  • NGINX Open Source 1.0.0 - 1.28.2
  • NGINX Open Source 1.29.0 - 1.29.6
  • NGINX Plus R32 - R36
  • NGINX Open Source: 0.5.13 - 0.9.7 (Fixed in: 1.28.3)
  • NGINX Open Source: 1.0.0 - 1.28.2 (Fixed in: 1.28.3)
  • NGINX Open Source: 1.29.0 - 1.29.6 (Fixed in: 1.29.7)
  • NGINX Plus: R32 - R36 (Fixed in: R36 P3)

Exploit Details

  • GitHub: Public Proof of Concept repository demonstrating worker process crashes via truncated Destination headers.
  • Calif.io Publications: Writeup and PoC repository documenting arbitrary file read and write techniques.

Mitigation Strategies

  • Upgrade NGINX Open Source to version 1.28.3 (Stable) or 1.29.7 (Mainline).
  • Upgrade NGINX Plus to the latest patch release (R32 P5, R33 P4, R34 P3, R35 P2, or R36 P3).
  • Disable the ngx_http_dav_module if WebDAV capabilities are not required.
  • Remove COPY and MOVE methods from the dav_methods directive.
  • Replace the alias directive with the root directive in WebDAV location blocks.

Remediation Steps:

  1. Audit NGINX configuration files for the presence of the dav_methods directive.
  2. Identify location blocks utilizing both the alias directive and COPY/MOVE methods.
  3. Schedule a maintenance window to apply the relevant NGINX binary update.
  4. Deploy the updated binaries and perform a configuration syntax check (nginx -t).
  5. Restart the NGINX service to ensure worker processes are running the patched code.

References

Read the full report for CVE-2026-27654 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)