Cyber Resilience

CVE-2026-21876

CriticalPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.1312 95.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21876 is a critical-severity Incomplete Filtering of Multiple Instances of Special Elements (CWE-794) vulnerability in Owasp Owasp Modsecurity Core Rule Set. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).

Deeper analysis

The vulnerability is a logic bug in the OWASP Core Rule Set (CRS) affecting rule 922110 prior to versions 4.22.0 and 3.3.8. The rule processes multipart requests by iterating over collections such as MULTIPART_PART_HEADERS; because capture variables TX:0 and TX:1 are overwritten on each iteration, only the final captured value is passed to subsequent chained rules, allowing malicious charset values in earlier parts to be ignored when a later part contains a benign charset. The affected component is the generic attack-detection rule set used by compatible web application firewalls.

An unauthenticated remote attacker can craft a multipart request containing a malicious charset in one of the earlier parts followed by a legitimate charset in a subsequent part. Because the chained rule only evaluates the last captured value, the request evades detection and may result in high-impact consequences including confidentiality loss and limited integrity impact, as reflected in the CVSS 9.3 score.

The referenced GitHub advisory and release notes state that the issue is resolved in CRS 4.22.0 and 3.3.8; users should upgrade to one of these versions. The associated commits correct the capture-variable handling so that each multipart part is evaluated independently by the rule chain. The EPSS score remains low with only a modest peak of 0.0398 and no reported real-world exploitation.

EU & UK References

Vulnerability details

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple…

more

parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

WAF rule bypass in multipart charset detection directly enables remote exploitation of public-facing web applications without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33691Same product: Owasp Owasp Modsecurity Core Rule Set
CVE-2025-66022Same vendor: Owasp
CVE-2026-40316Same vendor: Owasp

Affected Assets

owasp
owasp modsecurity core rule set
≤ 3.3.8 · 4.0.0 — 4.22.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the CRS 4.22.0/3.3.8 patches that correct the MULTIPART_PART_HEADERS capture-variable overwrite in rule 922110.

prevent

Boundary-protection devices (WAFs) using CRS must enforce the corrected multipart charset inspection to block the evasion technique.

prevent

Malicious-code-protection mechanisms rely on accurate CRS rule evaluation to detect and block the crafted multipart requests described in the CVE.

References