Skip to main content

NGINX Plus and NGINX Open Source CVE-2026-42945

| EUVDEUVD-2026-30010 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-05-13 f5 GHSA-gcgv-v5gf-c543
9.2
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.1 CRITICAL
qualitative

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 13, 2026 - 16:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 13, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
May 13, 2026 - 16:22 NVD
HIGH CRITICAL
CVSS changed
May 13, 2026 - 16:22 NVD
8.1 (HIGH) 9.2 (CRITICAL)
Analysis Generated
May 13, 2026 - 15:51 vuln.today
CVE Published
May 13, 2026 - 14:12 nvd
HIGH 8.1

DescriptionCVE.org

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score.

Technical ContextAI

This vulnerability affects the ngx_http_rewrite_module, a core NGINX module that manipulates request URIs using Perl-Compatible Regular Expressions (PCRE). The flaw (CWE-122: Heap-based Buffer Overflow) occurs when the rewrite directive chains with subsequent rewrite, if, or set directives while using unnamed PCRE capture groups ($1, $2, etc.) in replacement strings containing question marks. The heap overflow manifests during request processing when the module incorrectly calculates buffer sizes for URI manipulation. On systems with Address Space Layout Randomization (ASLR) enabled, exploitation is limited to denial-of-service via worker process crashes. However, ASLR-disabled systems face remote code execution risk as attackers can predict memory layouts to hijack control flow. Both NGINX Plus (commercial) and NGINX Open Source are affected according to CPE data cpe:2.3:a:f5:nginx_plus and cpe:2.3:a:f5:nginx_open_source, indicating widespread exposure across F5's NGINX product line.

RemediationAI

Apply vendor-released patches immediately per F5 advisory K000161019 available at https://my.f5.com/manage/s/article/K000161019. Exact patched versions are not specified in available data; consult the F5 advisory for version-specific upgrade paths. For environments unable to patch immediately, implement the following compensating controls with noted trade-offs: audit all NGINX configurations for rewrite directives followed by rewrite/if/set directives using unnamed PCRE captures ($1-$9) with question marks in replacement strings, and rewrite these to use named captures or eliminate question marks (may require application changes to URI handling logic); deploy or verify ASLR is enabled on all NGINX host systems to limit exploitation from code execution to denial-of-service only (standard on modern Linux kernels but may conflict with legacy application compatibility requirements); implement rate limiting and request validation at upstream load balancers to reduce attack surface for crafted HTTP requests (adds latency and may block legitimate edge-case requests). Configuration audits can be automated via 'grep -r rewrite /etc/nginx/' combined with regex pattern matching for vulnerable directive sequences.

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2024-39792 HIGH
8.7 Aug 14

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

CVE-2024-24989 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed

Share

CVE-2026-42945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy