CVE-2026-42945 | THREATINT

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

PUBLISHED Reserved 2026-04-30 | Published 2026-05-13 | Updated 2026-05-14 | Assigner f5

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.2CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-122 Heap-based Buffer Overflow.

Product status

Default status

unknown

R37 (custom) before *

unaffected

R36 (custom) before R36 P4

affected

R32 (custom) before R32 P6

affected

Default status

unaffected

1.31.0 (semver) before *

unaffected

0.6.27 (semver) before 1.30.1

affected

Credits

F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure. finder

References

depthfirst.com/nginx-rift

github.com/DepthFirstDisclosures/Nginx-Rift

my.f5.com/manage/s/article/K000161019 vendor-advisory patch

cve.org (CVE-2026-42945)

nvd.nist.gov (CVE-2026-42945)

Download JSON