CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Heap Overflow in NGINX ngx_http_rewrite_module Enables Unauthenticated RCE (CVE-2026-42945)

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical heap-based buffer overflow vulnerability in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source, tracked as CVE-2026-42945 (CVSS v4: 9.2) and codenamed NGINX Rift, has been disclosed. The flaw allows unauthenticated remote code execution (RCE) or denial-of-service (DoS) when specific crafted HTTP requests are sent to a vulnerable server. The vulnerability persists for 18 years and is exploitable via malformed rewrite directives containing unnamed PCRE capture groups and replacement strings with question marks. Successful exploitation corrupts the heap in the NGINX worker process, enabling code execution if ASLR is disabled or DoS via repeated worker crashes. Impact is severe due to the unauthenticated nature of the attack, absence of prerequisites, and potential to disrupt all services served by the affected NGINX instance.

Timeline

  1. 14.05.2026 09:00 1 articles · 1h ago

    Unauthenticated RCE Vulnerability in NGINX ngx_http_rewrite_module Disclosed (CVE-2026-42945)

    A heap-based buffer overflow in NGINX’s ngx_http_rewrite_module (CVE-2026-42945) was disclosed, enabling unauthenticated remote code execution or denial-of-service via crafted HTTP requests. The flaw affects NGINX Plus and NGINX Open Source across multiple versions and has remained undetected for 18 years. Patches are available for most affected products except NGINX Open Source versions 0.6.27–0.9.7. Mitigation via configuration changes is advised for unpatched systems.

    Show sources
    Open in new tab

Information Snippets

  • The vulnerability (CVE-2026-42945) exists in the ngx_http_rewrite_module when the rewrite directive is followed by another rewrite, if, or set directive and includes an unnamed PCRE capture (e.g., $1, $2) with a replacement string containing a question mark (?).

    First reported: 14.05.2026 09:00
    1 source, 1 article
    Show sources

  • Exploitation requires only a single crafted HTTP request to trigger a heap buffer overflow in the NGINX worker process, leading to RCE if ASLR is disabled or DoS via repeated worker restarts.

    First reported: 14.05.2026 09:00
    1 source, 1 article
    Show sources

  • Affected products include NGINX Plus R32–R36, NGINX Open Source 1.0.0–1.30.0 and 0.6.27–0.9.7, NGINX Instance Manager 2.16.0–2.21.1, F5 WAF for NGINX 5.9.0–5.12.1, and multiple NGINX-related offerings. Patches are available for most versions except NGINX Open Source 0.6.27–0.9.7.

    First reported: 14.05.2026 09:00
    1 source, 1 article
    Show sources

  • Additional vulnerabilities addressed alongside CVE-2026-42945 include CVE-2026-42946 (excessive memory allocation in SCGI/UWSGI modules, CVSS 8.3), CVE-2026-40701 (use-after-free in SSL module, CVSS 6.3), and CVE-2026-42934 (out-of-bounds read in charset module, CVSS 6.3).

    First reported: 14.05.2026 09:00
    1 source, 1 article
    Show sources

  • Mitigation for CVE-2026-42945 without immediate patching includes replacing unnamed PCRE captures with named captures in all affected rewrite directives.

    First reported: 14.05.2026 09:00
    1 source, 1 article
    Show sources