Which versions of NGINX Plus and NGINX Open Source are affected by CVE-2026-42945?

A critical heap buffer overflow in NGINX Plus and NGINX Open Source rewrite modules (CVE-2026-42945, CVSS 9.2) could allow remote attackers to crash worker processes or execute arbitrary code on…. A patch is available.

Is there a public PoC exploit available for CVE-2026-42945?

Yes, a public proof-of-concept exploit is available for CVE-2026-42945. Prioritise patching immediately. EPSS: 0.2%.

NGINX Plus and NGINX Open Source CVE-2026-42945

Q: What is the CVSS score of CVE-2026-42945?

CVE-2026-42945 has a CVSS 4.0 base score of 9.2 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2026-30010 CRITICAL

Heap-based Buffer Overflow (CWE-122)

2026-05-13 f5

GHSA-gcgv-v5gf-c543

RCE Buffer Overflow Heap Overflow Nginx Red Hat Suse

9.2

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 13, 2026 - 16:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 13, 2026 - 16:22 vuln.today

cvss_changed

Severity Changed

May 13, 2026 - 16:22 NVD

HIGH CRITICAL

CVSS changed

May 13, 2026 - 16:22 NVD

8.1 (HIGH) 9.2 (CRITICAL)

Analysis Generated

May 13, 2026 - 15:51 vuln.today

CVE Published

May 13, 2026 - 14:12 nvd

HIGH 8.1

DescriptionNVD

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. …

RemediationAI

Within 24 hours: Identify all NGINX Plus and Open Source instances in your environment and audit rewrite directive configurations, particularly those using PCRE captures with question marks in replacement strings. Within 7 days: Apply the vendor-released patch from F5 to all affected NGINX instances; test patches in staging environments first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory