Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Problem types
CWE-122 Heap-based Buffer Overflow.
Product status
R37 (custom) before *
R36 (custom) before R36 P4
R32 (custom) before R32 P6
1.31.0 (semver) before *
0.6.27 (semver) before 1.30.1
Credits
F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.
References
github.com/DepthFirstDisclosures/Nginx-Rift
access.redhat.com/security/cve/CVE-2026-42945
bugzilla.redhat.com/show_bug.cgi?id=2477116 (RHBZ#2477116)
security.access.redhat.com/...2/vex/2026/cve-2026-42945.json
access.redhat.com/errata/RHSA-2026:17790
access.redhat.com/errata/RHSA-2026:18063
access.redhat.com/errata/RHSA-2026:19159
access.redhat.com/errata/RHSA-2026:18041
access.redhat.com/errata/RHSA-2026:17791
access.redhat.com/errata/RHSA-2026:17751
access.redhat.com/errata/RHSA-2026:17792
access.redhat.com/errata/RHSA-2026:17793
access.redhat.com/errata/RHSA-2026:17752
access.redhat.com/errata/RHSA-2026:17794
access.redhat.com/errata/RHSA-2026:17753
access.redhat.com/errata/RHSA-2026:18029
access.redhat.com/errata/RHSA-2026:19371
access.redhat.com/errata/RHSA-2026:19374
access.redhat.com/errata/RHSA-2026:19372
access.redhat.com/errata/RHSA-2026:17417
access.redhat.com/errata/RHSA-2026:22396
access.redhat.com/errata/RHSA-2026:22393
access.redhat.com/errata/RHSA-2026:22394
access.redhat.com/errata/RHSA-2026:22390
access.redhat.com/errata/RHSA-2026:22388
access.redhat.com/errata/RHSA-2026:22389
access.redhat.com/errata/RHSA-2026:22382
access.redhat.com/errata/RHSA-2026:22383
access.redhat.com/errata/RHSA-2026:20442
access.redhat.com/errata/RHSA-2026:20444
access.redhat.com/errata/RHSA-2026:21275
my.f5.com/manage/s/article/K000161019