Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (f5).
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Articles & Coverage 4
AnalysisAI
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score.
Technical ContextAI
This vulnerability affects the ngx_http_rewrite_module, a core NGINX module that manipulates request URIs using Perl-Compatible Regular Expressions (PCRE). The flaw (CWE-122: Heap-based Buffer Overflow) occurs when the rewrite directive chains with subsequent rewrite, if, or set directives while using unnamed PCRE capture groups ($1, $2, etc.) in replacement strings containing question marks. The heap overflow manifests during request processing when the module incorrectly calculates buffer sizes for URI manipulation. On systems with Address Space Layout Randomization (ASLR) enabled, exploitation is limited to denial-of-service via worker process crashes. However, ASLR-disabled systems face remote code execution risk as attackers can predict memory layouts to hijack control flow. Both NGINX Plus (commercial) and NGINX Open Source are affected according to CPE data cpe:2.3:a:f5:nginx_plus and cpe:2.3:a:f5:nginx_open_source, indicating widespread exposure across F5's NGINX product line.
RemediationAI
Apply vendor-released patches immediately per F5 advisory K000161019 available at https://my.f5.com/manage/s/article/K000161019. Exact patched versions are not specified in available data; consult the F5 advisory for version-specific upgrade paths. For environments unable to patch immediately, implement the following compensating controls with noted trade-offs: audit all NGINX configurations for rewrite directives followed by rewrite/if/set directives using unnamed PCRE captures ($1-$9) with question marks in replacement strings, and rewrite these to use named captures or eliminate question marks (may require application changes to URI handling logic); deploy or verify ASLR is enabled on all NGINX host systems to limit exploitation from code execution to denial-of-service only (standard on modern Linux kernels but may conflict with legacy application compatibility requirements); implement rate limiting and request validation at upstream load balancers to reduce attack surface for crafted HTTP requests (adds latency and may block legitimate edge-case requests). Configuration audits can be automated via 'grep -r rewrite /etc/nginx/' combined with regex pattern matching for vulnerable directive sequences.
More in Nginx Plus
View allHeap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem
Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D
Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside
Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt
NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen
When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory
NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that
Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p
Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Liberty Linux 8 | Fixed |
| SUSE Liberty Linux 9 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Manager Proxy LTS 4.3 | Affected |
| SUSE Manager Retail Branch Server LTS 4.3 | Affected |
| SUSE Manager Server LTS 4.3 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE CaaS Platform 4.0 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Enterprise Storage 7 | Fixed |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP1 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP2 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP2 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP3 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP1 | Fixed |
| SUSE Linux Enterprise Server 15 SP1-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP2 | Fixed |
| SUSE Linux Enterprise Server 15 SP2-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3 | Fixed |
| SUSE Linux Enterprise Server 15 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy 4.0 | Fixed |
| SUSE Manager Proxy 4.1 | Fixed |
| SUSE Manager Proxy 4.2 | Fixed |
| SUSE Manager Retail Branch Server 4.0 | Fixed |
| SUSE Manager Retail Branch Server 4.1 | Fixed |
| SUSE Manager Retail Branch Server 4.2 | Fixed |
| SUSE Manager Server 4.0 | Fixed |
| SUSE Manager Server 4.1 | Fixed |
| SUSE Manager Server 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| suse/rmt-nginx | Fixed |
| private-registry/harbor-nginx suse/nginx | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30010
GHSA-gcgv-v5gf-c543