{
  "cve_id": "CVE-2026-27654",
  "reproduced": true,
  "verdict": "confirmed",
  "reproduction_script": "repro/reproduction_steps.sh",
  "vulnerable_version": "1.29.6",
  "fixed_version": "1.29.7",
  "issue_type": "heap-buffer-overflow",
  "summary": "nginx WebDAV COPY/MOVE heap-buffer-overflow when alias directive is used and Destination URI is shorter than the location prefix.",
  "details": {
    "trigger": "WebDAV COPY request to an aliased location with a Destination header whose URI is shorter than the location prefix length",
    "vulnerable_behavior": "AddressSanitizer reports a negative-size-param error (size=-5) inside memcpy called from ngx_http_map_uri_to_path, reachable via ngx_http_dav_copy_move_handler in ngx_http_dav_module.c.",
    "fixed_behavior": "The fixed nginx build (1.29.7) returns HTTP 400 Bad Request and does not crash.",
    "asan_error_detected": true,
    "fixed_http_code": 400,
    "logs": [
      "logs/asan_vulnerable.16927",
      "logs/vulnerable_asan.txt",
      "logs/fixed_curl.txt",
      "logs/vulnerable_stdout.txt",
      "logs/vulnerable_stderr.txt",
      "logs/fixed_stdout.txt",
      "logs/fixed_stderr.txt"
    ]
  }
}