Hi everyone, i was running my webpage production vm on ubuntu using nginx and modsecurity >> this morning 6:00 am ish it caused the page to go down. Stopped working, i realised that its due to the latest update on nginx caused Modsecurity not to work anymore. I've summarised the information below with codex. Just wanted to give you as much info as i can so that maybe you can fix or update so that modsecurity works just fine with nginx latest version. By the way the staging environment i have which is running on a mac mini m4, is perfectly fine. It also uses nginx, and modsecurity, but somehow the issue did not impact it. Everything else is identical, the code running django, and database etc are identical. Issue seems to be on ubuntu autoupdated nginx package vs the modesecurity.
Summary
After an unattended Ubuntu upgrade from nginx 1.24.0-2ubuntu7.9 to 1.24.0-2ubuntu7.10, Nginx workers began crashing on any ModSecurity-enabled request.
This happens even with a minimal inline ModSecurity config containing only:
modsecurity on;
modsecurity_rules 'SecRuleEngine On';
Environment
OS:
Ubuntu 24.04 noble
amd64
Installed packages:
nginx 1.24.0-2ubuntu7.10
nginx-common 1.24.0-2ubuntu7.10
libnginx-mod-http-modsecurity 1.0.3-1build3
libmodsecurity3t64 3.0.12-1.1build2
modsecurity-crs 3.3.5-2
The failing upgrade was installed by unattended-upgrades:
2026-06-09 06:13:29
Upgrade: nginx:amd64 1.24.0-2ubuntu7.9 -> 1.24.0-2ubuntu7.10
Upgrade: nginx-common:amd64 1.24.0-2ubuntu7.9 -> 1.24.0-2ubuntu7.10
Impact
Production Nginx returned empty replies / Cloudflare 502s for normal dynamic requests. Nginx workers repeatedly crashed with signal 11.
Example error:
malloc(96973185644385) failed (12: Cannot allocate memory)
worker process exited on signal 11 (core dumped)
Minimal Reproduction
Use this minimal config:
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
worker_processes 1;
pid /tmp/nginx-current-modsec-test.pid;
events {
worker_connections 64;
}
http {
error_log /tmp/nginx-modsec-error.log info;
server {
listen 127.0.0.1:18100;
server_name localhost;
modsecurity on;
modsecurity_rules 'SecRuleEngine On';
location / {
default_type text/plain;
return 200 "current engine ok\n";
}
}
}
Start current Nginx:
/usr/sbin/nginx -p /tmp/nginx-current-prefix -c /tmp/current.conf
curl -sS -D - http://127.0.0.1:18100/
Actual result:
curl: (52) Empty reply from server
Nginx error log:
malloc(108978184456033) failed (12: Cannot allocate memory)
worker process exited on signal 11 (core dumped)
Control Test
Download and extract previous Nginx:
apt-get download nginx=1.24.0-2ubuntu7.9 nginx-common=1.24.0-2ubuntu7.9
dpkg-deb -x nginx_1.24.0-2ubuntu7.9_amd64.deb /tmp/nginx-old
Run the same config with the old binary:
/tmp/nginx-old/usr/sbin/nginx -p /tmp/nginx-old-prefix -c /tmp/old.conf
curl -sS -D - http://127.0.0.1:18101/
Expected/actual result with old binary:
HTTP/1.1 200 OK
old engine ok
Workaround
Pin/replace the service runtime to use the extracted nginx 1.24.0-2ubuntu7.9 binary. With the previous Nginx binary, the same ModSecurity module and rules work again.
Expected Behavior
nginx 1.24.0-2ubuntu7.10 should not crash workers when ngx_http_modsecurity_module is loaded and SecRuleEngine On is enabled.
Actual Behavior
Nginx worker crashes with huge invalid-looking malloc request and signal 11.
Notes
This appears to be a regression or ABI/runtime incompatibility between:
nginx 1.24.0-2ubuntu7.10
libnginx-mod-http-modsecurity 1.0.3-1build3
libmodsecurity3t64 3.0.12-1.1build2
The issue is reproducible without OWASP CRS, so CRS rules are unlikely to be the root cause.
Hi everyone, i was running my webpage production vm on ubuntu using nginx and modsecurity >> this morning 6:00 am ish it caused the page to go down. Stopped working, i realised that its due to the latest update on nginx caused Modsecurity not to work anymore. I've summarised the information below with codex. Just wanted to give you as much info as i can so that maybe you can fix or update so that modsecurity works just fine with nginx latest version. By the way the staging environment i have which is running on a mac mini m4, is perfectly fine. It also uses nginx, and modsecurity, but somehow the issue did not impact it. Everything else is identical, the code running django, and database etc are identical. Issue seems to be on ubuntu autoupdated nginx package vs the modesecurity.
Summary
After an unattended Ubuntu upgrade from
nginx 1.24.0-2ubuntu7.9to1.24.0-2ubuntu7.10, Nginx workers began crashing on any ModSecurity-enabled request.This happens even with a minimal inline ModSecurity config containing only: