CVE-2026-21876

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like MULTIPART_PART_HEADERS), the capture variables (TX:0, TX:1) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.

Database specific

{
    "cwe_ids": [
        "CWE-794"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21876.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/coreruleset/coreruleset

Affected ranges

Type: GIT
Repo: https://github.com/coreruleset/coreruleset
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

83011c4512d9c91713629561c31c255da71d6bf7

Affected versions

v2.*

v2.2.5

v2.2.6

v2.2.7

v3.*

v3.0.0

v3.0.0-rc1

v3.0.0-rc2

v3.0.0-rc3

v3.0.1

v3.0.2

v3.1.0-rc1

v3.2-rc1

v3.2.0

v3.2.0-rc1

v3.2.0-rc2

v3.2.0-rc3

v3.3.0

v3.3.0-rc1

v3.3.0-rc2

v3.3.1-rc1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21876.json"