CVE-2026-30923
published 2026-05-05CVE-2026-30923: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.43%
34.8th percentile
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mod_security | mod_security | — | — |
| owasp-modsecurity | modsecurity | < 3.0.15 | 3.0.15 |
| owasp | modsecurity | < 3.0.15 | 3.0.15 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation
vendor_redhat·2026-05-05·CVSS 8.2
CVE-2026-30923 [HIGH] CWE-1287 libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation
libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation
A flaw was found in libModSecurity3, a component of the ModSecurity web application firewall (WAF). An attacker can exploit a segmentation fault by sending a specially crafted query string parameter containing a single character, which is then processed by a rule using the t:hexDecode transformation. This can cause worker processes to crash, leading to a denial of service (DoS) for the affected system.
Package: mod_security (Red Hat Enterprise Linux 7) - Affected
Package: mod_security (Red Hat Enterprise Linux 8) - Affected
Package: mod_security (Red Hat Enterprise Linux 9) - Affected
VulDB
OWASP ModSecurity up to 3.0.14 on Apache LibModSecurity t:hexDecode out-of-bounds (GHSA-qrjc-3jpc-3h2g)
vuldb·2026-05-05·CVSS 8.2
CVE-2026-30923 [HIGH] OWASP ModSecurity up to 3.0.14 on Apache LibModSecurity t:hexDecode out-of-bounds (GHSA-qrjc-3jpc-3h2g)
A vulnerability was found in OWASP ModSecurity up to 3.0.14 on Apache. It has been declared as problematic. This affects the function t:hexDecode of the component LibModSecurity. Such manipulation leads to out-of-bounds read.
This vulnerability is referenced as CVE-2026-30923. It is possible to launch the attack remotely. No exploit is available.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-30923 libmodsecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [fedora-all]
bugzilla·2026-06-04·CVSS 8.2
CVE-2026-30923 [HIGH] CVE-2026-30923 libmodsecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [fedora-all]
CVE-2026-30923 libmodsecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-30923 libmodsecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [epel-all]
bugzilla·2026-06-04·CVSS 8.2
CVE-2026-30923 [HIGH] CVE-2026-30923 libmodsecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [epel-all]
CVE-2026-30923 libmodsecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-30923 mod_security: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [epel-all]
bugzilla·2026-06-04·CVSS 8.2
CVE-2026-30923 [HIGH] CVE-2026-30923 mod_security: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [epel-all]
CVE-2026-30923 mod_security: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-30923 mod_security: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [fedora-all]
bugzilla·2026-06-04·CVSS 8.2
CVE-2026-30923 [HIGH] CVE-2026-30923 mod_security: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [fedora-all]
CVE-2026-30923 mod_security: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-30923 libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation
bugzilla·2026-05-05·CVSS 8.2
CVE-2026-30923 [HIGH] CVE-2026-30923 libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation
CVE-2026-30923 libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15.
2026-05-05
Published