Ddos 
Security researchers have identified two significant vulnerabilities in libmodsecurity3, the core library of the ModSecurity v3 project. As a critical component for many Web Application Firewalls (WAFs), libmodsecurity3 is responsible for interpreting security rules and applying them to HTTP traffic via various connectors. These newly discovered flaws, however, could turn this protective shield into a point of failure, allowing attackers to crash worker processes or cause unhandled exceptions.
The most disruptive of the two is a Segmentation Fault (Segfault) vulnerability (CVE-2026-30923) with a CVSS score of 7.5. Under specific configurations, particularly when the t:hexDecode transformation is in use, a simple query string containing just a single character is enough to trigger a crash.
An attacker can use a basic one-line bash script to repeatedly send malformed requests, crashing all available worker processes. This leaves the server unable to handle legitimate users, effectively taking the application offline.
“Using a simple one liner is enough to crash all worker processes, leaving none available for legitimate users,” the advisory warns.
The vulnerability affects all versions of libModSecurity3, though users of the older ModSecurity 2 (Apache) are reportedly not affected.
The second vulnerability, tracked as CVE-2026-42268, carries an even higher CVSS score of 8.2 and involves an unsigned integer underflow. This issue occurs within specific operators used for sensitive data validation, namely @verifySSN, @verifyCPF, and @verifySVNR.
If an administrator has configured rules using any of these operators, an unhandled std::out_of_range exception can be triggered. Like the segfault issue, this leads to a process failure that can compromise the availability of the security layer.
The ModSecurity project has moved quickly to address these issues. Administrators are urged to update to libmodsecurity3 3.0.15, which contains the necessary patches for both vulnerabilities.
Workarounds:
- For CVE-2026-42268: If you cannot patch immediately, you must disable any rules that utilize the @verifySSN, @verifyCPF, or @verifySVNR operators.
- For CVE-2026-30923: Review your configurations and temporarily disable the use of t:hexDecode on query strings if you are unable to upgrade your library version.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
