CVE-2026-27654: Heap-based Buffer Overflow in NGINX ngx_http_dav_module via Integer Underflow

CVE-2026-27654 is a critical heap-based buffer overflow (CWE-122) in the NGINX ngx_http_dav_module. The vulnerability manifests during the processing of WebDAV MOVE or COPY HTTP requests when specific configuration directives are active. Exploitation results in severe memory corruption within the NGINX worker process heap space.

The flaw requires a non-default server configuration combining the WebDAV module with an alias directive inside a prefix location block. The underlying mechanism is an unsigned integer underflow (CWE-191) that supplies a massive copy length to a memory operation. NGINX worker processes typically operate with constrained system privileges, which limits immediate root compromise but still exposes web application data.

Remote unauthenticated attackers can leverage this vulnerability to execute arbitrary file reads outside the configured document root. Research by Calif.io demonstrates that controlled exploitation can achieve arbitrary file writes, elevating the impact beyond the initial denial of service (DoS) assessment. These conditions establish a direct path from an HTTP request to unauthorized data access and potential remote code execution.

The vulnerability originates from an unchecked subtraction operation in the ngx_http_dav_copy_move_handler() function located within src/http/modules/ngx_http_dav_module.c. When NGINX processes a COPY or MOVE request, it must resolve the destination path specified in the Destination HTTP header. The software determines the destination string length by subtracting the length of the current location prefix from the length of the provided URI path.

Both the prefix length and the path length are stored as size_t variables, which are unsigned 64-bit integers on modern architectures. If an attacker submits a Destination header containing a path shorter than the configured location prefix, the subtraction path_len - prefix_len underflows. This arithmetic operation produces an exceedingly large positive integer value, typically 0xFFFFFFFFFFFFFFFF.

NGINX subsequently passes this underflowed length to a memcpy operation in ngx_http_core_module.c without performing adequate bounds checking. The massive copy length instructs the process to copy far more data than the allocated heap buffer can hold. AddressSanitizer logs from crashing instances confirm a negative-size-param exception precisely at the memcpy instruction called by the DAV handler.

The vulnerable code path lacks validation to ensure the destination URI length exceeds the location prefix length before performing arithmetic subtraction. The underflow mechanism directly dictates the size parameter of a subsequent heap memory copy operation.

// Conceptual representation of the vulnerable logic
size_t path_len = ngx_strlen(dest_uri);
size_t prefix_len = clcf->name.len;
 
// Flaw: No check preventing path_len < prefix_len
// Results in integer underflow
size_t copy_len = path_len - prefix_len;
 
// Heap overflow triggered here
ngx_memcpy(new_path, dest_uri, copy_len);

The remediation requires explicit boundary validation prior to the subtraction operation. The patch introduces a conditional check that safely terminates the request processing if the attacker-supplied destination path is abnormally short.

// Conceptual representation of the patched logic
size_t path_len = ngx_strlen(dest_uri);
size_t prefix_len = clcf->name.len;
 
// Fix: Validate bounds before subtraction
if (path_len < prefix_len) {
    return NGX_HTTP_BAD_REQUEST;
}
 
size_t copy_len = path_len - prefix_len;
ngx_memcpy(new_path, dest_uri, copy_len);

By ensuring path_len is strictly greater than or equal to prefix_len, the patch prevents the underflow condition entirely. This validation aligns with secure coding principles for size_t arithmetic and thoroughly neutralizes this specific exploitation vector.

Exploiting CVE-2026-27654 requires a targeted HTTP request to an NGINX endpoint configured with dav_methods that include COPY or MOVE, alongside an alias directive. The simplest exploitation vector aims for resource exhaustion via denial of service. The attacker sends a request where the Destination header character count is fewer than the server's location prefix.

COPY /dav/x HTTP/1.1
Host: target.local
Destination: /da

Researchers at Calif.io identified three advanced exploitation techniques leveraging this exact underflow. The first entails arbitrary file writing, wherein an attacker uploads a webshell via PUT, then utilizes a malformed COPY request to overflow the heap and rewrite the destination path to an executable directory like /var/www/html/.

The second technique yields an arbitrary file read via path traversal. A carefully crafted COPY request leverages the overflow to corrupt both source and destination pointers in memory simultaneously. This allows the attacker to copy sensitive system files, such as /etc/passwd, into the publicly accessible WebDAV root.

A third variant utilizes slash-padding to manipulate memory alignment and bypass basic string length normalization. When merge_slashes is set to off, the attacker supplies strings like ////etc/passwd to push payloads into specific heap blocks. This precise memory shaping maximizes the reliability of the heap overflow payload execution.

The vulnerability carries a Base CVSS 3.1 score of 8.2 (HIGH), driven by the lack of required authentication and the network-based attack vector. While the official National Vulnerability Database (NVD) vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) scores Confidentiality as None, operational exploitation proofs demonstrate otherwise. The confirmed arbitrary file read techniques elevate the true confidentiality impact to High.

The integrity impact manifests through the capability to modify source or destination file names outside the intended document root. By chaining a PUT operation with the memory corruption primitive, attackers can achieve arbitrary file writes. If the target server processes scripts (e.g., PHP, Python) within the overwritten directory, this immediately results in remote code execution.

Availability is severely impacted because the heap corruption consistently triggers a segmentation fault in the handling worker process. An attacker sending continuous malformed requests will repeatedly crash worker processes, exhausting system resources and causing a sustained denial of service. The low EPSS score (0.00034) currently reflects the rarity of the prerequisite configuration, but targeted attacks against known WebDAV environments remain highly probable.

System administrators must immediately upgrade NGINX to the officially patched versions. For NGINX Open Source, stable branch users should update to version 1.28.3, and mainline branch users to version 1.29.7. NGINX Plus deployments must apply the corresponding patch release for their specific branch (e.g., R36 P3, R35 P2).

If patching is not operationally feasible, administrators can apply immediate configuration workarounds. The primary mitigation is disabling the WebDAV module (ngx_http_dav_module) entirely if the functionality is not actively used. Alternatively, administrators can modify the dav_methods directive to explicitly exclude COPY and MOVE operations.

location /dav/ {
    alias /var/dav/uploads/;
    # Exclude COPY and MOVE to mitigate CVE-2026-27654
    dav_methods PUT DELETE MKCOL;
}

A secondary configuration workaround involves replacing the alias directive with root inside DAV-enabled location blocks. The specific underflow vulnerability logic is not triggered when the root directive handles path translation. Furthermore, implementing Web Application Firewall (WAF) rules to detect unusually short Destination headers or excessive slash padding can provide an interim defense-in-depth layer.