CVE-2026-42945 Overview
CVE-2026-42945 is a heap buffer overflow [CWE-122] in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source. The flaw is triggered when a rewrite directive is followed by another rewrite, if, or set directive that uses an unnamed Perl-Compatible Regular Expression (PCRE) capture such as $1 or $2, with a replacement string containing a question mark (?). An unauthenticated remote attacker can send crafted HTTP requests to corrupt heap memory in the NGINX worker process. The condition causes a worker restart and, on systems with Address Space Layout Randomization (ASLR) disabled, can lead to arbitrary code execution.
Critical Impact
Unauthenticated remote attackers can crash NGINX worker processes and potentially achieve code execution against affected web servers and reverse proxies.
Affected Products
- NGINX Plus (versions still under Technical Support)
- NGINX Open Source (versions still under Technical Support)
- Deployments using the ngx_http_rewrite_module with chained rewrite/if/set directives and unnamed PCRE captures
Discovery Timeline
- 2026-05-13 - CVE-2026-42945 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42945
Vulnerability Analysis
The vulnerability lives in NGINX's ngx_http_rewrite_module, which evaluates rewrite, conditional, and variable-assignment directives at request processing time. When a rewrite directive containing an unnamed PCRE capture group is followed by an additional rewrite, if, or set directive, and the replacement string includes a question mark, the module miscalculates the size of the destination buffer used to construct the rewritten value. The undersized allocation results in writes that exceed the heap chunk boundary.
The overflow occurs inside the NGINX worker process. At minimum, the corrupted memory causes the worker to abort and restart, producing a denial-of-service condition. On targets where ASLR is disabled, predictable heap layout makes arbitrary code execution feasible from a single crafted HTTP request.
Root Cause
The root cause is improper length calculation when expanding an unnamed PCRE capture into a replacement string that contains a literal ? character. The question mark interacts with NGINX's handling of the query-string boundary inside rewrite expressions, producing a buffer allocation smaller than the data subsequently written to it.
Attack Vector
Exploitation requires the target NGINX instance to be configured with the affected directive pattern. An unauthenticated attacker sends an HTTP request whose URI matches the vulnerable rewrite regular expression. The crafted path triggers the malformed replacement and overflows the heap buffer in the worker process. Conditions beyond attacker control, such as memory layout and configuration specifics, influence reliability. See the DepthFirst Nginx Rift Analysis and the GitHub Nginx Rift Disclosure Repository for technical details.
Detection Methods for CVE-2026-42945
Indicators of Compromise
- Repeated NGINX worker process restarts logged in error.log with signal 11 (SIGSEGV) or worker process exited on signal entries
- HTTP request URIs containing unusual sequences designed to match rewrite regular expressions and include question marks in capture-driven replacements
- Sudden spikes in 5xx responses correlated with crashes of specific worker PIDs
Detection Strategies
- Audit NGINX configuration files for rewrite directives that use unnamed PCRE captures ($1, $2) followed by rewrite, if, or set directives, with replacements containing ?
- Parse error.log for repeated worker terminations and correlate with the source IP and URI of preceding requests in access.log
- Inspect core dumps from NGINX workers, if enabled, for evidence of heap corruption inside ngx_http_script_regex_end_code
Monitoring Recommendations
- Forward NGINX access and error logs into a central analytics platform and alert on worker crash patterns
- Monitor request rates and URI entropy targeting endpoints governed by rewrite rules
- Track process restart counts for nginx: worker process and alert on thresholds exceeding baseline
How to Mitigate CVE-2026-42945
Immediate Actions Required
- Apply fixed NGINX Plus or NGINX Open Source versions as documented in F5 Security Article K000161019
- Inventory all NGINX deployments and identify configurations matching the vulnerable directive pattern
- Ensure ASLR is enabled at the operating system level to reduce the likelihood of code execution
- Restrict external exposure of NGINX instances that cannot be patched immediately
Patch Information
F5 has published remediation guidance in F5 Security Article K000161019. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to supported releases. Operators should verify the running version with nginx -v and update package sources accordingly.
Workarounds
- Refactor affected configurations to remove unnamed PCRE captures from rewrite replacements that include ?, using named captures or static query strings instead
- Remove or reorder rewrite, if, and set chains that follow the vulnerable rewrite directive
- Place a web application firewall in front of NGINX to filter requests with URI patterns targeting the vulnerable rewrite expressions
- Confirm ASLR is enabled by verifying /proc/sys/kernel/randomize_va_space returns 2
# Configuration example
# Verify NGINX version
nginx -v
# Confirm ASLR is enabled on Linux hosts
cat /proc/sys/kernel/randomize_va_space
# Test configuration after refactoring rewrite rules
nginx -t && nginx -s reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
