Heap Buffer Overflow in NGINX Plus and NGINX Open Source Affecting ngx_http_rewrite_module
CVE-2026-42945

9.2CRITICAL

Key Information:

Vendor

F5
Status
Nginx Plus
Nginx Open Source
Vendor
CVE Published:
13 May 2026

Badges

πŸ”₯ Trending nowπŸ“ˆ TrendedπŸ“ˆ Score: 6,410πŸ‘Ύ Exploit Exists🟑 Public PoC

What is CVE-2026-42945?

CVE-2026-42945 is a critical vulnerability affecting NGINX Plus and NGINX Open Source, specifically within the ngx_http_rewrite_module. This vulnerability occurs when a rewrite directive is used in conjunction with unnamed Perl-Compatible Regular Expression (PCRE) captures and replacement strings that include a question mark. An unauthenticated attacker can exploit this condition by sending specially crafted HTTP requests, which can lead to a heap buffer overflow in the NGINX worker process. As a result, this may cause the worker process to restart unexpectedly. For systems with Address Space Layout Randomization (ASLR) disabled, the vulnerability presents an even more severe risk, as it opens the possibility for code execution.

Potential Impact of CVE-2026-42945

  1. Service Disruption: The heap buffer overflow can cause the NGINX worker process to restart, leading to potential downtime for web services relying on NGINX for load balancing and HTTP processing. This disruption could significantly affect business operations and user access to online services.

  2. Remote Code Execution Risk: For systems where ASLR is disabled, the vulnerability increases the likelihood of remote code execution. This could allow attackers to gain control over the affected systems, potentially leading to unauthorized access, data theft, and propagation of malware within the network.

  3. Increased Attack Surface: With the existence of this vulnerability, there is a heightened risk of exploitation in the wild. Attackers may target organizations running affected versions of NGINX, which could lead to widespread compromise, particularly in environments where secure configurations are not enforced.

Affected Version(s)

NGINX Open Source 0.6.27 < 1.30.1

NGINX Plus R36

NGINX Plus R32

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Nginx-Rift
Created by DepthFirstDisclosures

References

https://my.f5.com/manage/s/article/K000161019
vendor-advisorypatch

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.
.