ANT-2026-HY56VRSB · nginx

heap-buffer-overflow high

CVE-2026-27654

Severity Claude high · Security research firm - · Maintainer -

Discovered by Claude Mythos Preview

REPORT

Anthropic's analysis, sealed at approval. Disclosure to the maintainer was performed by Calif.

ANT-2026-HY56VRSB: Heap buffer overflow in ngx_http_dav_copy_move_handler at ngx_http_dav_module.c:703 via short Destination header with alias directive

In ngx_http_dav_copy_move_handler(), processing a COPY or MOVE request in a location using the alias directive temporarily replaces r->uri with the attacker-controlled Destination header URI and calls ngx_http_map_uri_to_path() without re-matching location blocks. If the Destination URI is shorter than clcf->alias, the buffer size computation (root.len + reserved + uri.len - alias + 1) produces an undersized allocation. ngx_copy then writes root.len bytes into this undersized buffer, overflowing it, and a subsequent ngx_copy computes uri.len - alias as size_t, underflowing to a massive length and crashing the worker. An attacker needs only a single COPY request with a short Destination header (e.g., Destination: /x against a 5-character alias) to trigger worker crash and potential heap corruption.

Target

Project: nginx
Location: src/http/modules/ngx_http_dav_module.c:703
Discovery: static analysis — not yet dynamically reproduced

Technical Details

The root cause is that the handler swaps r->uri with the Destination URI (line 701) and immediately calls ngx_http_map_uri_to_path() (line 703) without validating that the new URI length is >= clcf->alias. In ngx_http_map_uri_to_path() at ngx_http_core_module.c:1943, path->len = clcf->root.len + reserved + r->uri.len - alias + 1 underflows when uri.len < alias (e.g., 9+0+2-5+1 = 7 for a 9-byte root), and ngx_copy at line 1950 writes the full 9-byte root into the 7-byte buffer. Neither ngx_http_parse_unsafe_uri nor the valid_location check enforces a minimum Destination length relative to the alias.

Reproduction

  1. Identify a target location combining alias and dav_methods COPY/MOVE (e.g., location /dav/ { alias /var/www/; dav_methods COPY; })
  2. Send: COPY /dav/file.txt HTTP/1.1 with header Destination: /x (any path shorter than the 5-character alias '/dav/')
  3. Handler swaps r->uri to '/x' (len=2), calls ngx_http_map_uri_to_path(); path->len computes to 7 bytes but ngx_copy writes 9 bytes of root, overflowing by 2; second ngx_copy underflows 2-5 as size_t and wild-copies until crash

[No reproducer or sanitizer output attached — request from cvd@anthropic.com if needed.]

Acknowledgement

This vulnerability was discovered by Claude, Anthropic's AI assistant, and triaged by the Anthropic security team in collaboration with Anthropic Research. Please direct questions to security-cvd@anthropic.com and reference ANT-2026-HY56VRSB.

Reference: ANT-2026-HY56VRSB
Anthropic CVD Policy: https://anthropic.com/security/cvd-policy

TIMELINE

Dates from discovery through public reveal.

  1. 2026-03-20 Reported to tracker
  2. 2026-03-20 Sent to maintainer
  3. 2026-05-20 Patch released
  4. 2026-05-20 Publicly revealed
PROVENANCE

SHA-3-512 hash:

64bfee709f646fc04ffed676034930182615fbe340bb4bbeecf2bdd53bc3fafc738cc51c1b25e2601cd2de21f1d303a90581e3201aaf0062593b5a4179344db5

Committed 2026-03-20 16:27 PT

Revealed 2026-05-20 00:40 PT

Verify (download preimage.json)

Show preimage JSON 
{
  "ant_id": "ANT-2026-HY56VRSB",
  "bug_class": "Heap",
  "claude_severity": "high",
  "commit_sha": null,
  "created_at": "2026-03-20T19:13:25+00:00",
  "description": "In ngx_http_dav_copy_move_handler(), processing a COPY or MOVE request in a location using the alias directive temporarily replaces r->uri with the attacker-controlled Destination header URI and calls ngx_http_map_uri_to_path() without re-matching location blocks. If the Destination URI is shorter than clcf->alias, the buffer size computation (root.len + reserved + uri.len - alias + 1) produces an undersized allocation. ngx_copy then writes root.len bytes into this undersized buffer, overflowing it, and a subsequent ngx_copy computes uri.len - alias as size_t, underflowing to a massive length and crashing the worker. An attacker needs only a single COPY request with a short Destination header (e.g., Destination: /x against a 5-character alias) to trigger worker crash and potential heap corruption.",
  "discovered_at": null,
  "location": "src/http/modules/ngx_http_dav_module.c:703",
  "poc_sha256": null,
  "preimage_version": 1,
  "project": "nginx",
  "reproduction": [
    "1. Identify a target location combining alias and dav_methods COPY/MOVE (e.g., location /dav/ { alias /var/www/; dav_methods COPY; })",
    "2. Send: COPY /dav/file.txt HTTP/1.1 with header Destination: /x (any path shorter than the 5-character alias '/dav/')",
    "3. Handler swaps r->uri to '/x' (len=2), calls ngx_http_map_uri_to_path(); path->len computes to 7 bytes but ngx_copy writes 9 bytes of root, overflowing by 2; second ngx_copy underflows 2-5 as size_t and wild-copies until crash"
  ],
  "technical_details": "The root cause is that the handler swaps r->uri with the Destination URI (line 701) and immediately calls ngx_http_map_uri_to_path() (line 703) without validating that the new URI length is >= clcf->alias. In ngx_http_map_uri_to_path() at ngx_http_core_module.c:1943, path->len = clcf->root.len + reserved + r->uri.len - alias + 1 underflows when uri.len < alias (e.g., 9+0+2-5+1 = 7 for a 9-byte root), and ngx_copy at line 1950 writes the full 9-byte root into the 7-byte buffer. Neither ngx_http_parse_unsafe_uri nor the valid_location check enforces a minimum Destination length relative to the alias.",
  "title": "Heap buffer overflow in ngx_http_dav_copy_move_handler at ngx_http_dav_module.c:703 via short Destination header with alias directive",
  "vendor_severity": null
}