Fluid Attacks Database

Description

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like MULTIPART_PART_HEADERS), the capture variables (TX:0, TX:1) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	modsecurity-crs	=3.3.7-1 \|\| >=0 <3.3.7-1+deb13u1	3.3.7-1+deb13u1
debian 11	modsecurity-crs	=3.3.0-1 \|\| =3.3.0-1+deb11u1 \|\| =3.3.2-1 \|\| =3.3.4-1~deb11u1 \|\| >=0 <3.3.4-1~deb11u2	3.3.4-1~deb11u2
debian 12	modsecurity-crs	=3.3.4-1 \|\| >=0 <3.3.4-1+deb12u1	3.3.4-1+deb12u1
debian 14	modsecurity-crs	=3.3.7-1 \|\| >=0 <3.3.8-1	3.3.8-1

Aliases

1. CVE-2026-218762. NVD-2026-218763. OSV-DEBIAN-2026-218764. OSV-2026-218765. SECURITY-TRACKER-CVE-2026-21876

References

1. https://github.com/CVEs-Labs/CVE-2026-21876

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.