ALINUX3-SA-2026:0150
摘要
Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2026-49975: Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67. CVE-2026-9256: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. **Solution**: 请您尽快将升级到修复后的版本。修复命令如下: yum update --advisory ALINUX3-SA-2026:0150 **Affected Products**: Alinux 3.2104, Alinux 3 Pro
正文
Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2026-49975: Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67. CVE-2026-9256: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
标签
- cve:cve-2026-49975
- cve:cve-2026-9256
- severity:important
- type:advisory
- vendor:alibaba
扩展字段
{
"advisory_id": "ALINUX3-SA-2026:0150",
"affected_products": [
"Alinux 3.2104",
"Alinux 3 Pro"
],
"cve_ids": [
"CVE-2026-49975",
"CVE-2026-9256"
],
"raw_pub_date": "Thu, 11 Jun 2026 17:37:07 +0800",
"solution": "请您尽快将升级到修复后的版本。修复命令如下:\nyum update --advisory ALINUX3-SA-2026:0150"
}