Home

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

PUBLISHED Reserved 2026-04-30 | Published 2026-05-13 | Updated 2026-06-27 | Assigner f5




HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.2CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-122 Heap-based Buffer Overflow.

Product status

Default status
unknown

R37 (custom) before *
unaffected

R36 (custom) before R36 P4
affected

R32 (custom) before R32 P6
affected

Default status
unaffected

1.31.0 (semver) before *
unaffected

0.6.27 (semver) before 1.30.1
affected

Credits

F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure. finder

References

depthfirst.com/nginx-rift

github.com/DepthFirstDisclosures/Nginx-Rift

access.redhat.com/security/cve/CVE-2026-42945 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2477116 (RHBZ#2477116) issue-tracking

security.access.redhat.com/...2/vex/2026/cve-2026-42945.json

access.redhat.com/errata/RHSA-2026:17790 vendor-advisory

access.redhat.com/errata/RHSA-2026:18063 vendor-advisory

access.redhat.com/errata/RHSA-2026:19159 vendor-advisory

access.redhat.com/errata/RHSA-2026:18041 vendor-advisory

access.redhat.com/errata/RHSA-2026:17791 vendor-advisory

access.redhat.com/errata/RHSA-2026:17751 vendor-advisory

access.redhat.com/errata/RHSA-2026:17792 vendor-advisory

access.redhat.com/errata/RHSA-2026:17793 vendor-advisory

access.redhat.com/errata/RHSA-2026:17752 vendor-advisory

access.redhat.com/errata/RHSA-2026:17794 vendor-advisory

access.redhat.com/errata/RHSA-2026:17753 vendor-advisory

access.redhat.com/errata/RHSA-2026:18029 vendor-advisory

access.redhat.com/errata/RHSA-2026:19371 vendor-advisory

access.redhat.com/errata/RHSA-2026:19374 vendor-advisory

access.redhat.com/errata/RHSA-2026:19372 vendor-advisory

access.redhat.com/errata/RHSA-2026:17417 vendor-advisory

access.redhat.com/errata/RHSA-2026:22396 vendor-advisory

access.redhat.com/errata/RHSA-2026:22393 vendor-advisory

access.redhat.com/errata/RHSA-2026:22394 vendor-advisory

access.redhat.com/errata/RHSA-2026:22390 vendor-advisory

access.redhat.com/errata/RHSA-2026:22388 vendor-advisory

access.redhat.com/errata/RHSA-2026:22389 vendor-advisory

access.redhat.com/errata/RHSA-2026:22382 vendor-advisory

access.redhat.com/errata/RHSA-2026:22383 vendor-advisory

access.redhat.com/errata/RHSA-2026:20442 vendor-advisory

access.redhat.com/errata/RHSA-2026:20444 vendor-advisory

access.redhat.com/errata/RHSA-2026:21275 vendor-advisory

my.f5.com/manage/s/article/K000161019 vendor-advisory patch

cve.org (CVE-2026-42945)

nvd.nist.gov (CVE-2026-42945)

Download JSON