CVE-2026-52761
Received Received - Intake

Buffer Overflow in ModSecurity WAF Engine

Vulnerability report for CVE-2026-52761, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 through 3.0.15, the t:utf8toUnicode transformation in src/actions/transformations/utf8_to_unicode.cc produces wrong output on i386 architecture because snprintf uses sizeof on a char pointer rather than the length of the unicode buffer, allowing rules that use this transformation to be bypassed on i386 architecture. This issue is fixed in version 3.0.16.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
modsecurity modsecurity 3.0.16
modsecurity modsecurity From 3.0.0 (inc) to 3.0.15 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-467 The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ModSecurity versions 3.0.0 through 3.0.15, specifically in the t:utf8toUnicode transformation function. On i386 architecture, the function produces incorrect output because it uses snprintf with sizeof on a char pointer instead of the actual length of the unicode buffer. This flaw allows attackers to bypass rules that rely on this transformation.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ModSecurity to version 3.0.16 or later, where the issue with the t:utf8toUnicode transformation on i386 architecture is fixed.

Impact Analysis

The vulnerability can allow attackers to bypass security rules in ModSecurity on i386 systems. This means that malicious requests that should be blocked by the web application firewall might pass through undetected, potentially leading to unauthorized actions or exploitation of the protected web applications.

Detection Guidance

This vulnerability affects ModSecurity versions from 3.0.0 through 3.0.15 on i386 architecture due to an issue in the t:utf8toUnicode transformation. Detection involves identifying if your system is running a vulnerable version of ModSecurity on an i386 architecture.

You can check the installed ModSecurity version by running the following command on your server:

  • modsecurity -v

To verify the system architecture, use:

  • uname -m

If the version is between 3.0.0 and 3.0.15 and the architecture is i386, your system is vulnerable.

Additionally, reviewing ModSecurity rules that use the t:utf8toUnicode transformation may help identify potential bypass attempts, but no specific detection commands for network traffic or logs are provided.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart