CVE-2026-42945: Heap Overflow in NGINX Plus/Open Source
Plateforme
nginx
Composant
ngx_http_rewrite_module
Corrigé dans
R36 P4
A vulnerability has been identified in NGINX Plus and NGINX Open Source affecting the ngxhttprewrite_module module. This flaw stems from improper handling of PCRE capture groups within rewrite directives, specifically when a question mark (?) is used in the replacement string. Successful exploitation can lead to a heap buffer overflow, potentially causing the NGINX worker process to restart, disrupting service availability. Affected versions include those prior to R36 P4, with a fix available in R36 P4.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2026-42945 is a denial-of-service (DoS) condition. An unauthenticated attacker, under specific conditions, can craft malicious HTTP requests that trigger a heap buffer overflow within the NGINX worker process. This overflow results in the process restarting, leading to service interruption and potential data loss if the application relies on the NGINX worker. While the vulnerability doesn't directly lead to remote code execution, the process restart can be disruptive and may be leveraged as part of a broader attack chain to destabilize a system. The blast radius extends to any service relying on the affected NGINX instance.
Contexte d'Exploitationtraduction en cours…
CVE-2026-42945 was published on May 13, 2026. Its severity is rated HIGH with a CVSS score of 8.1. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. It is not listed on CISA KEV or EPSS, indicating a low to medium probability of exploitation in the near term. Monitor security advisories and threat intelligence feeds for any changes in this assessment.
Renseignement sur les Menaces
Statut de l'Exploit
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Élevée — nécessite une condition de course, configuration non standard ou circonstances spécifiques.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
Mitigation et Contournementstraduction en cours…
The recommended mitigation for CVE-2026-42945 is to upgrade to NGINX Plus or NGINX Open Source version R36 P4 or later, which includes the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Carefully review all rewrite, if, and set directives within your NGINX configuration, paying close attention to those utilizing PCRE capture groups with question marks in replacement strings. Removing or modifying these directives can prevent exploitation. WAF rules can be configured to filter requests containing suspicious patterns, but this is not a substitute for patching. Monitor NGINX logs for unusual activity or frequent process restarts, which could indicate exploitation attempts. After upgrading, confirm the fix by sending a crafted HTTP request designed to trigger the vulnerability and verifying that the worker process does not restart.
Comment corrigertraduction en cours…
Actualice NGINX Plus a la versión R36 P4 o superior, NGINX Open Source a la versión 1.31.1 o superior, o a las versiones especificadas en el aviso de seguridad de F5 para mitigar el riesgo de desbordamiento del búfer de la pila y posible ejecución de código.
Questions fréquentestraduction en cours…
What is CVE-2026-42945 — Heap Overflow in NGINX Plus/Open Source?
CVE-2026-42945 is a HIGH severity vulnerability in NGINX Plus and Open Source's rewrite module. Crafted HTTP requests can trigger a heap buffer overflow, leading to a worker process restart and potential service disruption. It affects versions ≤R36 P4.
Am I affected by CVE-2026-42945 in NGINX Plus/Open Source?
If you are running NGINX Plus or Open Source versions prior to R36 P4 and utilize rewrite directives with PCRE capture groups and question marks, you are potentially affected. Check your version and configuration immediately.
How do I fix CVE-2026-42945 in NGINX Plus/Open Source?
Upgrade to NGINX Plus or Open Source version R36 P4 or later. As a temporary workaround, review and modify your NGINX configuration to remove or alter vulnerable rewrite directives.
Is CVE-2026-42945 being actively exploited?
Currently, there are no publicly known active exploits or campaigns targeting CVE-2026-42945. However, it's crucial to apply the fix or implement workarounds to mitigate potential risk.
Where can I find the official NGINX advisory for CVE-2026-42945?
Refer to the official NGINX security advisory for detailed information and updates: [https://nginx.com/security/advisories/](https://nginx.com/security/advisories/)
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Essayez maintenant — sans compte
Téléchargez n'importe quel manifeste (composer.lock, package-lock.json, liste de plugins WordPress…) ou collez votre liste de composants. Vous obtiendrez un rapport de vulnérabilités instantanément. Le téléchargement d'un fichier n'est qu'un début : avec un compte vous bénéficiez d'une surveillance continue, d'alertes Slack/email, de multi-projets et de rapports en marque blanche.
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...