CVE-2026-42945: Heap Overflow in NGINX Plus/Open Source
Plataforma
nginx
Componente
ngx_http_rewrite_module
Corrigido em
R36 P4
A vulnerability has been identified in NGINX Plus and NGINX Open Source affecting the ngxhttprewrite_module module. This flaw stems from improper handling of PCRE capture groups within rewrite directives, specifically when a question mark (?) is used in the replacement string. Successful exploitation can lead to a heap buffer overflow, potentially causing the NGINX worker process to restart, disrupting service availability. Affected versions include those prior to R36 P4, with a fix available in R36 P4.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2026-42945 is a denial-of-service (DoS) condition. An unauthenticated attacker, under specific conditions, can craft malicious HTTP requests that trigger a heap buffer overflow within the NGINX worker process. This overflow results in the process restarting, leading to service interruption and potential data loss if the application relies on the NGINX worker. While the vulnerability doesn't directly lead to remote code execution, the process restart can be disruptive and may be leveraged as part of a broader attack chain to destabilize a system. The blast radius extends to any service relying on the affected NGINX instance.
Contexto de Exploraçãotraduzindo…
CVE-2026-42945 was published on May 13, 2026. Its severity is rated HIGH with a CVSS score of 8.1. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. It is not listed on CISA KEV or EPSS, indicating a low to medium probability of exploitation in the near term. Monitor security advisories and threat intelligence feeds for any changes in this assessment.
Inteligência de Ameaças
Status do Exploit
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Alta — exige condição de corrida, configuração não padrão ou circunstâncias específicas.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Alto — falha completa ou esgotamento de recursos. Negação de serviço total.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
Mitigação e Soluções Alternativastraduzindo…
The recommended mitigation for CVE-2026-42945 is to upgrade to NGINX Plus or NGINX Open Source version R36 P4 or later, which includes the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Carefully review all rewrite, if, and set directives within your NGINX configuration, paying close attention to those utilizing PCRE capture groups with question marks in replacement strings. Removing or modifying these directives can prevent exploitation. WAF rules can be configured to filter requests containing suspicious patterns, but this is not a substitute for patching. Monitor NGINX logs for unusual activity or frequent process restarts, which could indicate exploitation attempts. After upgrading, confirm the fix by sending a crafted HTTP request designed to trigger the vulnerability and verifying that the worker process does not restart.
Como corrigirtraduzindo…
Actualice NGINX Plus a la versión R36 P4 o superior, NGINX Open Source a la versión 1.31.1 o superior, o a las versiones especificadas en el aviso de seguridad de F5 para mitigar el riesgo de desbordamiento del búfer de la pila y posible ejecución de código.
Perguntas frequentestraduzindo…
What is CVE-2026-42945 — Heap Overflow in NGINX Plus/Open Source?
CVE-2026-42945 is a HIGH severity vulnerability in NGINX Plus and Open Source's rewrite module. Crafted HTTP requests can trigger a heap buffer overflow, leading to a worker process restart and potential service disruption. It affects versions ≤R36 P4.
Am I affected by CVE-2026-42945 in NGINX Plus/Open Source?
If you are running NGINX Plus or Open Source versions prior to R36 P4 and utilize rewrite directives with PCRE capture groups and question marks, you are potentially affected. Check your version and configuration immediately.
How do I fix CVE-2026-42945 in NGINX Plus/Open Source?
Upgrade to NGINX Plus or Open Source version R36 P4 or later. As a temporary workaround, review and modify your NGINX configuration to remove or alter vulnerable rewrite directives.
Is CVE-2026-42945 being actively exploited?
Currently, there are no publicly known active exploits or campaigns targeting CVE-2026-42945. However, it's crucial to apply the fix or implement workarounds to mitigate potential risk.
Where can I find the official NGINX advisory for CVE-2026-42945?
Refer to the official NGINX security advisory for detailed information and updates: [https://nginx.com/security/advisories/](https://nginx.com/security/advisories/)
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Suba qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Você receberá um relatório de vulnerabilidades instantaneamente. Subir um arquivo é apenas o começo: com uma conta você terá monitoramento contínuo, alertas por Slack/email, vários projetos e relatórios com marca branca.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...