NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/Mitigation
Summary
Hide ▲
Show ▼
F5 issued a workaround for vulnerable NGINX rewrite rules, reducing exposure to CVE-2026-42945 for operators who cannot upgrade immediately. The guidance replaces unnamed PCRE capture groups ($1, $2, etc.) with named captures. That change removes the main exploitation prerequisite in affected NGINX configurations. The mitigation is meant to bridge deployments until fixed versions can be installed.
Related Happenings
F5 security patch release for CVE-2026-42530
Security Patch Release
H score39
First: 18.06.2026 20:32
Last: 18.06.2026 20:32
Sources 1
About this happening:
**F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
F5 security patch release for CVE-2026-42530
Security Patch ReleaseAbout this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
NGINX web server critical flaws (multiple vulnerabilities)
Vulnerability
H score38
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
**NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
NGINX web server critical flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
F5 NGINX out-of-band security updates (multiple vulnerabilities)
Security Patch Release
H score34
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
**F5** released **out-of-band security updates** for **NGINX** after finding multiple web server vulnerabilities, including **two critical flaws** that could enable **remote code...
F5 NGINX out-of-band security updates (multiple vulnerabilities)
Security Patch ReleaseAbout this happening: **F5** released **out-of-band security updates** for **NGINX** after finding multiple web server vulnerabilities, including **two critical flaws** that could enable **remote code...
Nginx security patch release for CVE-2026-49975
Security Patch Release
H score42
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
About this happening:
Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...
Nginx security patch release for CVE-2026-49975
Security Patch ReleaseAbout this happening: Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...
Ivanti security patch release for CVE-2026-8043
Security Patch Release
H score25
First: 18.05.2026 13:54
Last: 18.05.2026 13:54
Sources 1
About this happening:
**Ivanti, Fortinet, SAP, Broadcom, and n8n** released **security fixes** on **2026-05-18** for flaws that could enable **authentication bypass**, **remote code execution**, **SQL...
Ivanti security patch release for CVE-2026-8043
Security Patch ReleaseAbout this happening: **Ivanti, Fortinet, SAP, Broadcom, and n8n** released **security fixes** on **2026-05-18** for flaws that could enable **authentication bypass**, **remote code execution**, **SQL...
Timeline
-
14.05.2026 18:43 1 articles · 1mo ago
DepthFirst AI discovers CVE-2026-42945 in NGINX
Technical Analysis UpdateDepthFirst AI identifies CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX Open Source, during a six-hour autonomous code scanning session.
Show sources
- 18-year-old NGINX vulnerability allows DoS, potential RCE — www.bleepingcomputer.com — 14.05.2026 18:43
-
13.05.2026 03:00 2 articles · 1mo ago
F5 releases a workaround for vulnerable NGINX rewrite rules
Mitigation Patch UpdateF5 releases mitigation guidance for vulnerable NGINX rewrite rules, advising operators who cannot upgrade to replace unnamed PCRE capture groups ($1, $2, etc.) with named captures so the main exploitation prerequisite is removed.
Show sources
- 18-year-old NGINX vulnerability allows DoS, potential RCE — www.bleepingcomputer.com — 14.05.2026 18:43
- 18-year-old NGINX vulnerability allows DoS, potential RCE — www.bleepingcomputer.com — 14.05.2026 18:43
-
21.04.2026 03:00 1 articles · 2mo ago
Researchers report CVE-2026-42945 to the vendor
Initial DisclosureResearchers report CVE-2026-42945 to the vendor, identifying a heap buffer overflow in ngx_http_rewrite_module that affects NGINX versions 0.6.27 through 1.30.0.
Show sources
- 18-year-old NGINX vulnerability allows DoS, potential RCE — www.bleepingcomputer.com — 14.05.2026 18:43