CVE-2026-21876
published 2026-01-08CVE-2026-21876: The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8…
PriorityP350medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
13.12%
95.9th percentile
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coreruleset | coreruleset | < 4.22.0 | 4.22.0 |
| coreruleset | coreruleset | < 3.3.8 | 3.3.8 |
| debian | modsecurity-crs | < modsecurity-crs 3.3.4-1+deb12u1 (bookworm) | modsecurity-crs 3.3.4-1+deb12u1 (bookworm) |
| owasp | owasp_modsecurity_core_rule_set | < 3.3.8 | 3.3.8 |
| owasp | owasp_modsecurity_core_rule_set | >= 4.0.0 < 4.22.0 | 4.22.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
osv5.3MEDIUM
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-21876: modsecurity-crs - The OWASP core rule set (CRS) is a set of generic attack detection rules for use...
vendor_debian·2026·CVSS 9.3
CVE-2026-21876 [CRITICAL] CVE-2026-21876: modsecurity-crs - The OWASP core rule set (CRS) is a set of generic attack detection rules for use...
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Scope: local
bookworm: resolved (fixed in 3.3.4-1+deb12u1)
bullseye: resolved (fixed in 3.3.4-1~deb11u2)
forky: resolved (fixed in 3.3.8-1)
sid: resolved (fixed in 3.3.8-1)
OSV
CVE-2026-21876: The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls
osv·2026-01-08·CVSS 5.3
CVE-2026-21876 [MEDIUM] CVE-2026-21876: The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
No detection rules found.
Hackernews
⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
blogs_hackernews·2026-04-27
CVE-2025-20333 ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
Everything is dumb again. This week feels broken in a very familiar way. Old tricks are back. New tools are doing shady crap. Supply chains got hit. Fake help desks worked. Weird research showed how easy some attacks still are.
Most of it feels like stuff we should have fixed years ago. Bad extensions. Stolen creds. Remote tools are getting abused. Malware hides in places people trust. Same mess, cleaner packaging.
Coffee is cold. The vuln list is ugly. Let’s get into it.
## ⚡ Threat of the Week
New fast16 Malware Was Developed Y
Wiz
CVE-2026-21876 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-21876 [CRITICAL] CVE-2026-21876 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21876 :
Linux Debian vulnerability analysis and mitigation
MULTIPART_PART_HEADERS
TX:0
TX:1
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 9.3
Affected Technologies
Linux Debian
Amazon Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
modsecurity-crs
mod_security_crs
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Jan 11, 2026
Echo Severity MEDIUM Has Fix Added at: Jan 11, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Linux
https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5https://github.com/daytriftnewgen/CVE-2026-21876
2026-01-08
Published