CVE-2026-42945: Heap Overflow in NGINX Plus/Open Source
Platform
nginx
Component
ngx_http_rewrite_module
Fixed in
R36 P4
A vulnerability has been identified in NGINX Plus and NGINX Open Source affecting the ngxhttprewrite_module module. This flaw stems from improper handling of PCRE capture groups within rewrite directives, specifically when a question mark (?) is used in the replacement string. Successful exploitation can lead to a heap buffer overflow, potentially causing the NGINX worker process to restart, disrupting service availability. Affected versions include those prior to R36 P4, with a fix available in R36 P4.
Impact and Attack Scenarios
The primary impact of CVE-2026-42945 is a denial-of-service (DoS) condition. An unauthenticated attacker, under specific conditions, can craft malicious HTTP requests that trigger a heap buffer overflow within the NGINX worker process. This overflow results in the process restarting, leading to service interruption and potential data loss if the application relies on the NGINX worker. While the vulnerability doesn't directly lead to remote code execution, the process restart can be disruptive and may be leveraged as part of a broader attack chain to destabilize a system. The blast radius extends to any service relying on the affected NGINX instance.
Exploitation Context
CVE-2026-42945 was published on May 13, 2026. Its severity is rated HIGH with a CVSS score of 8.1. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. It is not listed on CISA KEV or EPSS, indicating a low to medium probability of exploitation in the near term. Monitor security advisories and threat intelligence feeds for any changes in this assessment.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
Mitigation and Workarounds
The recommended mitigation for CVE-2026-42945 is to upgrade to NGINX Plus or NGINX Open Source version R36 P4 or later, which includes the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Carefully review all rewrite, if, and set directives within your NGINX configuration, paying close attention to those utilizing PCRE capture groups with question marks in replacement strings. Removing or modifying these directives can prevent exploitation. WAF rules can be configured to filter requests containing suspicious patterns, but this is not a substitute for patching. Monitor NGINX logs for unusual activity or frequent process restarts, which could indicate exploitation attempts. After upgrading, confirm the fix by sending a crafted HTTP request designed to trigger the vulnerability and verifying that the worker process does not restart.
How to fix
Actualice NGINX Plus a la versión R36 P4 o superior, NGINX Open Source a la versión 1.31.1 o superior, o a las versiones especificadas en el aviso de seguridad para mitigar el riesgo de desbordamiento del búfer de la pila y posible ejecución de código.
Frequently asked questions
What is CVE-2026-42945 — Heap Overflow in NGINX Plus/Open Source?
CVE-2026-42945 is a HIGH severity vulnerability in NGINX Plus and Open Source's rewrite module. Crafted HTTP requests can trigger a heap buffer overflow, leading to a worker process restart and potential service disruption. It affects versions ≤R36 P4.
Am I affected by CVE-2026-42945 in NGINX Plus/Open Source?
If you are running NGINX Plus or Open Source versions prior to R36 P4 and utilize rewrite directives with PCRE capture groups and question marks, you are potentially affected. Check your version and configuration immediately.
How do I fix CVE-2026-42945 in NGINX Plus/Open Source?
Upgrade to NGINX Plus or Open Source version R36 P4 or later. As a temporary workaround, review and modify your NGINX configuration to remove or alter vulnerable rewrite directives.
Is CVE-2026-42945 being actively exploited?
Currently, there are no publicly known active exploits or campaigns targeting CVE-2026-42945. However, it's crucial to apply the fix or implement workarounds to mitigate potential risk.
Where can I find the official NGINX advisory for CVE-2026-42945?
Refer to the official NGINX security advisory for detailed information and updates: [https://nginx.com/security/advisories/](https://nginx.com/security/advisories/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...