Cyber Resilience

CVE-2026-27654

HighUpdated

Published: 24 March 2026

Published
24 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2162 97.3th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-27654 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in F5 Nginx Plus. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-27654 is a buffer overflow vulnerability (CWE-122) in the ngx_http_dav_module of NGINX Open Source and NGINX Plus, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H). The issue arises when the NGINX configuration file enables the DAV module's MOVE or COPY methods alongside prefix location configurations (non-regular expression) and alias directives. Software versions that have reached End of Technical Support (EoTS) were not evaluated for this vulnerability.

An unauthenticated network attacker can exploit this vulnerability with low attack complexity to trigger a buffer overflow in the NGINX worker process. Successful exploitation may cause termination of the worker process, resulting in a denial of service, or allow modification of source or destination file names outside the document root. The integrity impact remains low because the NGINX worker process typically runs with restricted privileges and lacks access to the full system.

The F5 advisory at https://my.f5.com/manage/s/article/K000160382 details mitigation guidance for this vulnerability.

EU & UK References

Vulnerability details

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or…

more

modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer overflow in public-facing NGINX (DAV MOVE/COPY) directly enables unauthenticated remote exploitation for worker crash (DoS) or limited file name manipulation outside root.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9256Same product: F5 Nginx Open Source
CVE-2026-42945Same product: F5 Nginx Open Source
CVE-2025-23412Same vendor: F5
CVE-2026-8711Same vendor: F5
CVE-2021-22992Same vendor: F5
CVE-2025-48724Shared CWE-120, CWE-122
CVE-2023-22422Same vendor: F5
CVE-2020-19695Same vendor: F5
CVE-2025-36557Same vendor: F5
CVE-2025-36525Same vendor: F5

Affected Assets

f5
nginx plus
r32, r33, r34, r35, r36
f5
nginx open source
0.5.13 — 0.9.7 · 1.0.0 — 1.28.3 · 1.29.0 — 1.29.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

SI-2 requires timely remediation of flaws like this NGINX buffer overflow vulnerability through patching or upgrades as detailed in the F5 advisory.

prevent

CM-7 enforces least functionality by disabling the unnecessary ngx_http_dav_module or its MOVE/COPY methods to prevent exploitation.

prevent

CM-6 mandates secure configuration settings to avoid the vulnerable combination of DAV methods with prefix locations and alias directives in NGINX.

References