CVE-2026-30923
Analyzed Analyzed - Analysis Complete
Segmentation Fault in Libmodsecurity via t:hexDecode Transformation

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30923
EUVD
EUVD-2026-27422
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
owasp modsecurity to 3.0.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-30923 is a vulnerability in libModSecurity3, a component of the ModSecurity v3 web application firewall. It occurs when a rule using the t:hexDecode transformation processes a query string parameter containing a single character. This triggers a segmentation fault due to an out-of-bounds read or memory access error during hex decoding, causing the application to crash.

The root cause is improper handling of single-character inputs in the hex decoding process, leading to memory corruption. This flaw can be exploited by an attacker to crash worker processes of the web application firewall.

Impact Analysis

This vulnerability can be exploited to cause a denial-of-service (DoS) attack by crashing all worker processes of the ModSecurity web application firewall. When the worker processes crash, the firewall temporarily stops protecting the web server until the processes recover.

Although the service resumes once the attack stops, the disruption can lead to downtime or reduced security coverage, potentially exposing the web application to other attacks during that period.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or segmentation faults in libModSecurity3 worker processes when processing query strings containing a single character with the t:hexDecode transformation.

A simple way to test for the vulnerability is to send HTTP requests with query string parameters containing a single character that triggers the t:hexDecode transformation and observe if the ModSecurity worker processes crash.

For example, you can use curl or a similar tool to send such requests:

  • curl 'http://yourserver/path?param=a'

If the server crashes or the ModSecurity worker processes segfault, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade libModSecurity3 to version 3.0.15 or later, where this vulnerability has been patched.

Until the upgrade can be performed, consider disabling or modifying rules that use the t:hexDecode transformation on query string parameters to prevent triggering the segmentation fault.

Monitor your ModSecurity worker processes for crashes and restart them if necessary to maintain service availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30923. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart