Vulnerability Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Owasp | Owasp Modsecurity Core Rule Set | < 3.3.8 |
Related Weaknesses (CWE)
References
- https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221ePatch
- https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105ePatch
- https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8ProductRelease Notes
- https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0ProductRelease Notes
- https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2ExploitVendor Advisory
- https://github.com/daytriftnewgen/CVE-2026-21876
FAQ
What is CVE-2026-21876?
CVE-2026-21876 is a vulnerability with a CVSS score of 9.3 (CRITICAL). The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when p...
How severe is CVE-2026-21876?
CVE-2026-21876 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-21876?
Check the references section above for vendor advisories and patch information. Affected products include: Owasp Owasp Modsecurity Core Rule Set.