CVE-2026-27654
Published: 24 March 2026
Summary
CVE-2026-27654 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in F5 Nginx Plus. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of flaws like this NGINX buffer overflow vulnerability through patching or upgrades as detailed in the F5 advisory.
CM-7 enforces least functionality by disabling the unnecessary ngx_http_dav_module or its MOVE/COPY methods to prevent exploitation.
CM-6 mandates secure configuration settings to avoid the vulnerable combination of DAV methods with prefix locations and alias directives in NGINX.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing NGINX (DAV MOVE/COPY) directly enables unauthenticated remote exploitation for worker crash (DoS) or limited file name manipulation outside root.
NVD Description
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or…
more
modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Deeper analysisAI
CVE-2026-27654 is a buffer overflow vulnerability (CWE-122) in the ngx_http_dav_module of NGINX Open Source and NGINX Plus, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H). The issue arises when the NGINX configuration file enables the DAV module's MOVE or COPY methods alongside prefix location configurations (non-regular expression) and alias directives. Software versions that have reached End of Technical Support (EoTS) were not evaluated for this vulnerability.
An unauthenticated network attacker can exploit this vulnerability with low attack complexity to trigger a buffer overflow in the NGINX worker process. Successful exploitation may cause termination of the worker process, resulting in a denial of service, or allow modification of source or destination file names outside the document root. The integrity impact remains low because the NGINX worker process typically runs with restricted privileges and lacks access to the full system.
The F5 advisory at https://my.f5.com/manage/s/article/K000160382 details mitigation guidance for this vulnerability.
Details
- CWE(s)