{
  "ticket_id": "CVE-2026-27654",
  "code_root": "external/nginx",
  "source": {
    "type": "cve",
    "cve_id": "CVE-2026-27654",
    "repo": "https://github.com/nginx/nginx"
  },
  "facts": {
    "issue_summary": "nginx's ngx_http_dav_module miscomputes the destination filesystem path for DAV COPY and MOVE requests when the matched location uses a prefix `location /pfx/ { ... }` combined with an `alias /some/dir/;` directive. The destination header is appended to the alias root without correctly subtracting the prefix, producing a path string longer than the buffer that was sized for the (shorter) alias-substituted form. The subsequent copy of the destination filename overflows that heap buffer in the worker process. Reachable unauthenticated on any nginx instance that enables `dav_methods PUT DELETE MKCOL COPY MOVE;` under such a location.",
    "vulnerability_type": "Heap-based buffer overflow in ngx_http_dav_module COPY/MOVE handling",
    "suspected_cwe": ["CWE-122"],
    "affected_versions": "0.5.13-0.9.7, 1.0.0-1.28.2, 1.29.0-1.29.6 (nginx Open Source)",
    "fixed_versions": ["1.28.3", "1.29.7"],
    "reproduce_version": "1.29.6",
    "verify_fixed_version": "1.29.7",
    "repo_url": "https://github.com/nginx/nginx.git",
    "checkout_ref": "release-1.29.6",
    "code_root": "external/nginx",
    "attacker_access": "unauthenticated network attacker who can reach an nginx host with DAV COPY/MOVE enabled under a location using `alias`",
    "primary_entry_point": "ngx_http_dav_copy_move_handler in src/http/modules/ngx_http_dav_module.c, in particular the construction of the destination path from the Destination: HTTP request header",
    "build_hint": "Build nginx from source with: ./configure --with-http_dav_module --with-cc-opt='-fsanitize=address -g -O1' --with-ld-opt='-fsanitize=address' && make. Run with master_process off and worker_processes 1 so ASAN catches the overflow inline in the foreground.",
    "trigger_hint": "Configure: location /dav/ { root /tmp/dav_root; -OR- alias /tmp/dav_alias/; dav_methods PUT DELETE MKCOL COPY MOVE; create_full_put_path on; dav_access user:rw group:rw all:r; }. PUT a file, then COPY/MOVE it with a Destination header that produces a long aliased path (e.g. a long filename). On vulnerable build expect ASAN heap-buffer-overflow WRITE or worker crash; on fixed build expect HTTP 201 Created / 204 No Content with no crash.",
    "tested_under": "Single nginx worker built with -fsanitize=address, run in the foreground so ASAN output goes to stderr."
  }
}