Oops, too fast to blame apr :) This bug was a forgotten NULL in the apr_pstrcat function. Apparently newer APRs can handle this.

apache2/re.c

@@ -1295,9 +1295,7 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
                                     var->name, var->param);
     }
     else if ((var->name != NULL) && var->is_counting && (*var->name != '&')) {
-        // TODO: This fails (sigsegv) on FC4, but apr_psprintf works
+        full_varname = apr_pstrcat(mptmp, "&", var->name, NULL);
-        //full_varname = apr_pstrcat(mptmp, "&", var->name);
-        full_varname = apr_psprintf(mptmp, "&%s", var->name);
     }
     else {
         full_varname = var->name;