Skip to content

JohannesLks/CVE-2026-27654

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
nginx.conf
nginx.conf
 
 
poc.py
poc.py
 
 
run.sh
run.sh
 
 

Repository files navigation

CVE-2026-27654

NGINX ngx_http_dav_module Heap Buffer Overflow via size_t Underflow (Remote DoS / Potential RCE)

Description

ngx_http_dav_copy_move_handler() in src/http/modules/ngx_http_dav_module.c computes the destination URI length by subtracting the location prefix length from the Destination header's URI path component. Both values are size_t (unsigned 64-bit). When the destination path is shorter than the location prefix, the subtraction wraps to ~0, producing a massive memcpy length that overflows a 7-byte heap allocation and crashes the worker process.

A single crafted MOVE or COPY request to an alias-mapped DAV location triggers the overflow. The nginx master respawns the worker, but repeated requests hold the server in a continuous crash loop.

ASan confirms: negative-size-param: (size=-7) at memcpy in ngx_http_core_module.c:1949, called from ngx_http_dav_copy_move_handler.

Affected: nginx 0.5.13 through 1.28.2 (stable) and 1.29.0 through 1.29.6 (mainline), compiled with --with-http_dav_module and using alias in the DAV location. Fixed in 1.28.3 / 1.29.7 (commit ab4b5b8, PR #1210).

Usage

# Docker (recommended -- builds vulnerable nginx from source):
docker compose up -d --build
python3 poc.py --target 127.0.0.1:8080

# Native (builds nginx 1.28.2 from source, no Docker):
./run.sh              # non-ASan build (observes SIGSEGV crash)
./run.sh --asan       # ASan build (definitive proof)
./run.sh --both       # run both sequentially

# Against an existing vulnerable nginx instance:
python3 poc.py --target <HOST:PORT>
python3 poc.py --target <HOST:PORT> --no-put    # if trigger file already exists
python3 poc.py --target <HOST:PORT> --verbose

Requirements

  • Target: nginx compiled with --with-http_dav_module, location block using alias (not root), dav_methods includes COPY or MOVE
  • Attacker: Python 3, requests (pip install requests)
  • For native build: gcc, make, libpcre2-dev, libssl-dev, zlib1g-dev, wget

Files

File Description
poc.py Python PoC -- sends PUT + crafted MOVE to crash the worker
run.sh Builds nginx from source (ASan / non-ASan) and runs the PoC
Dockerfile Multi-stage build of vulnerable nginx 1.28.2
docker-compose.yml One-command Docker setup
nginx.conf Vulnerable configuration (alias + dav_methods COPY MOVE)
proof_output.txt ASan output from live verification

References

Legal Notice

This project is released under the GNU GPLv3.

It is provided for defensive security research, education, and authorized testing. Do not use this code against systems or services without explicit permission from the owner.

Unauthorized use may violate applicable law. The authors do not grant permission to test third-party systems and are not responsible for misuse.

See the LICENSE file for warranty and liability terms.

About

NGINX `ngx_http_dav_module` Heap Buffer Overflow via `size_t` Underflow (Remote DoS / Potential RCE)

Topics

security exploit vulnerability cve

Resources

Readme

License

GPL-3.0 license
Activity

Stars

5 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages