CVE-2026-30923
Segmentation Fault in Libmodsecurity via t:hexDecode Transformation
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owasp | libmodsecurity3 | to 3.0.15 (exc) |
| owasp | modsecurity | 3.0.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-30923 is a vulnerability in libModSecurity3, a component of the ModSecurity v3 web application firewall. It occurs when a rule using the t:hexDecode transformation processes a query string parameter containing a single character. This triggers a segmentation fault due to an out-of-bounds read or memory access error during hex decoding, causing the application to crash.
The root cause is improper handling of single-character inputs in the hex decoding process, leading to memory corruption. This flaw can be exploited by an attacker to crash worker processes of the web application firewall.
How can this vulnerability impact me? :
This vulnerability can be exploited to cause a denial-of-service (DoS) attack by crashing all worker processes of the ModSecurity web application firewall. When the worker processes crash, the firewall temporarily stops protecting the web server until the processes recover.
Although the service resumes once the attack stops, the disruption can lead to downtime or reduced security coverage, potentially exposing the web application to other attacks during that period.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or segmentation faults in libModSecurity3 worker processes when processing query strings containing a single character with the t:hexDecode transformation.
A simple way to test for the vulnerability is to send HTTP requests with query string parameters containing a single character that triggers the t:hexDecode transformation and observe if the ModSecurity worker processes crash.
For example, you can use curl or a similar tool to send such requests:
- curl 'http://yourserver/path?param=a'
If the server crashes or the ModSecurity worker processes segfault, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade libModSecurity3 to version 3.0.15 or later, where this vulnerability has been patched.
Until the upgrade can be performed, consider disabling or modifying rules that use the t:hexDecode transformation on query string parameters to prevent triggering the segmentation fault.
Monitor your ModSecurity worker processes for crashes and restart them if necessary to maintain service availability.