CVE-2026-42945: Heap Overflow in NGINX Plus/Open Source
Platform
nginx
Component
ngx_http_rewrite_module
Opgelost in
R36 P4
A vulnerability has been identified in NGINX Plus and NGINX Open Source affecting the ngxhttprewrite_module module. This flaw stems from improper handling of PCRE capture groups within rewrite directives, specifically when a question mark (?) is used in the replacement string. Successful exploitation can lead to a heap buffer overflow, potentially causing the NGINX worker process to restart, disrupting service availability. Affected versions include those prior to R36 P4, with a fix available in R36 P4.
Impact en Aanvalsscenarioswordt vertaald…
The primary impact of CVE-2026-42945 is a denial-of-service (DoS) condition. An unauthenticated attacker, under specific conditions, can craft malicious HTTP requests that trigger a heap buffer overflow within the NGINX worker process. This overflow results in the process restarting, leading to service interruption and potential data loss if the application relies on the NGINX worker. While the vulnerability doesn't directly lead to remote code execution, the process restart can be disruptive and may be leveraged as part of a broader attack chain to destabilize a system. The blast radius extends to any service relying on the affected NGINX instance.
Uitbuitingscontextwordt vertaald…
CVE-2026-42945 was published on May 13, 2026. Its severity is rated HIGH with a CVSS score of 8.1. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. It is not listed on CISA KEV or EPSS, indicating a low to medium probability of exploitation in the near term. Monitor security advisories and threat intelligence feeds for any changes in this assessment.
Dreigingsinformatie
Exploit Status
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Hoog — vereist een race condition, niet-standaard configuratie of specifieke omstandigheden.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
Mitigatie en Workaroundswordt vertaald…
The recommended mitigation for CVE-2026-42945 is to upgrade to NGINX Plus or NGINX Open Source version R36 P4 or later, which includes the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Carefully review all rewrite, if, and set directives within your NGINX configuration, paying close attention to those utilizing PCRE capture groups with question marks in replacement strings. Removing or modifying these directives can prevent exploitation. WAF rules can be configured to filter requests containing suspicious patterns, but this is not a substitute for patching. Monitor NGINX logs for unusual activity or frequent process restarts, which could indicate exploitation attempts. After upgrading, confirm the fix by sending a crafted HTTP request designed to trigger the vulnerability and verifying that the worker process does not restart.
Hoe te verhelpenwordt vertaald…
Actualice NGINX Plus a la versión R36 P4 o superior, NGINX Open Source a la versión 1.31.1 o superior, o a las versiones especificadas en el aviso de seguridad para mitigar el riesgo de desbordamiento del búfer de la pila y posible ejecución de código.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-42945 — Heap Overflow in NGINX Plus/Open Source?
CVE-2026-42945 is a HIGH severity vulnerability in NGINX Plus and Open Source's rewrite module. Crafted HTTP requests can trigger a heap buffer overflow, leading to a worker process restart and potential service disruption. It affects versions ≤R36 P4.
Am I affected by CVE-2026-42945 in NGINX Plus/Open Source?
If you are running NGINX Plus or Open Source versions prior to R36 P4 and utilize rewrite directives with PCRE capture groups and question marks, you are potentially affected. Check your version and configuration immediately.
How do I fix CVE-2026-42945 in NGINX Plus/Open Source?
Upgrade to NGINX Plus or Open Source version R36 P4 or later. As a temporary workaround, review and modify your NGINX configuration to remove or alter vulnerable rewrite directives.
Is CVE-2026-42945 being actively exploited?
Currently, there are no publicly known active exploits or campaigns targeting CVE-2026-42945. However, it's crucial to apply the fix or implement workarounds to mitigate potential risk.
Where can I find the official NGINX advisory for CVE-2026-42945?
Refer to the official NGINX security advisory for detailed information and updates: [https://nginx.com/security/advisories/](https://nginx.com/security/advisories/)
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Probeer het nu — geen account
Upload elk manifest (composer.lock, package-lock.json, WordPress-pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mailmeldingen, meerdere projecten en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...