NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/Mitigation
Summary
Hide ▲
Show ▼
F5 issued a workaround for vulnerable NGINX rewrite rules, reducing exposure to CVE-2026-42945 for operators who cannot upgrade immediately. The guidance replaces unnamed PCRE capture groups ($1, $2, etc.) with named captures. That change removes the main exploitation prerequisite in affected NGINX configurations. The mitigation is meant to bridge deployments until fixed versions can be installed.
Related Happenings
Ivanti security patch release for CVE-2026-8043
Security Patch Release
First: 18.05.2026 13:54
Last: 18.05.2026 13:54
Sources 1
About this happening:
**Ivanti, Fortinet, SAP, Broadcom, and n8n** released **security fixes** on **2026-05-18** for flaws that could enable **authentication bypass**, **remote code execution**, **SQL...
Ivanti security patch release for CVE-2026-8043
Security Patch ReleaseAbout this happening: **Ivanti, Fortinet, SAP, Broadcom, and n8n** released **security fixes** on **2026-05-18** for flaws that could enable **authentication bypass**, **remote code execution**, **SQL...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
**Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
Vulnerability
First: 14.05.2026 09:00
Last: 14.05.2026 09:00
Sources 1
How related:
The vulnerability is tracked as CVE-2026-42945 and received a critical severity rating of 9.2, based on the latest version of the Common Vulnerability Scoring System (CVSS).
About this happening:
**CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...
NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
VulnerabilityHow related: The vulnerability is tracked as CVE-2026-42945 and received a critical severity rating of 9.2, based on the latest version of the Common Vulnerability Scoring System (CVSS).
About this happening: **CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...
F5 security patch release for CVE-2026-42945
Security Patch Release
First: 14.05.2026 09:00
Last: 14.05.2026 09:00
Sources 1
How related:
According to F5’s security advisory, released yesterday, the flaws impact the following NGINX builds:
About this happening:
F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...
F5 security patch release for CVE-2026-42945
Security Patch ReleaseHow related: According to F5’s security advisory, released yesterday, the flaws impact the following NGINX builds:
About this happening: F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...
Latest development: 17.05.2026 14:57
VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.
CPanel security patch release for CVE-2026-29201
Security Patch Release
First: 09.05.2026 10:16
Last: 09.05.2026 10:16
Sources 1
About this happening:
**cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
CPanel security patch release for CVE-2026-29201
Security Patch ReleaseAbout this happening: **cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
Timeline
-
14.05.2026 18:43 1 articles · 13d ago
DepthFirst AI discovers CVE-2026-42945 in NGINX
Technical Analysis UpdateDepthFirst AI identifies CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX Open Source, during a six-hour autonomous code scanning session.
Show sources
- 18-year-old NGINX vulnerability allows DoS, potential RCE — www.bleepingcomputer.com — 14.05.2026 18:43
-
13.05.2026 03:00 2 articles · 14d ago
F5 releases a workaround for vulnerable NGINX rewrite rules
Mitigation Patch UpdateF5 releases mitigation guidance for vulnerable NGINX rewrite rules, advising operators who cannot upgrade to replace unnamed PCRE capture groups ($1, $2, etc.) with named captures so the main exploitation prerequisite is removed.
Show sources
- 18-year-old NGINX vulnerability allows DoS, potential RCE — www.bleepingcomputer.com — 14.05.2026 18:43
- 18-year-old NGINX vulnerability allows DoS, potential RCE — www.bleepingcomputer.com — 14.05.2026 18:43
-
21.04.2026 03:00 1 articles · 1mo ago
Researchers report CVE-2026-42945 to the vendor
Initial DisclosureResearchers report CVE-2026-42945 to the vendor, identifying a heap buffer overflow in ngx_http_rewrite_module that affects NGINX versions 0.6.27 through 1.30.0.
Show sources
- 18-year-old NGINX vulnerability allows DoS, potential RCE — www.bleepingcomputer.com — 14.05.2026 18:43