2466843 – (CVE-2026-30923) CVE-2026-30923 libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation

Bug 2466843 (CVE-2026-30923) - CVE-2026-30923 libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation

Summary: CVE-2026-30923 libModSecurity3: ModSecurity: ModSecurity: Denial of Service v...

Keywords:
Status:	NEW
Alias:	CVE-2026-30923
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2484694 2484697 2484698 2484699 2484700 2484701
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-05 19:01 UTC by OSIDB Bzimport
Modified:	2026-06-04 10:19 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-05 19:01:35 UTC

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15.

Note You need to log in before you can comment on or make changes to this bug.