Security Advisory Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. (CVE-2026-42945)
NGINX
| Product | Branch | Versions known to be vulnerable1 | Fixes introduced in | Severity/CVSS score2 | Vulnerable component or feature |
| NGINX Plus | 37.x | None | 37.0.0 | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | The ngx_http_rewrite_module module |
| Rx | R32 – R36 | R36 P4 R32 P6 | |||
| NGINX Open Source | 1.x | 1.0.0 – 1.30.0 | 1.31.0 1.30.1 | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | The ngx_http_rewrite_module module |
| 0.x | 0.6.27 – 0.9.7 | Will not fix | |||
| NGINX Instance Manager | 2.x | 2.16.0 – 2.21.1 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Open Source software components |
| F5 WAF for NGINX | 5.x | 5.9.0 – 5.12.1 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus software components |
| NGINX App Protect WAF | 5.x | 5.1.0 – 5.8.0 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus software components |
| 4.x | 4.9.0 – 4.16.0 | None | |||
| F5 DoS for NGINX | 4.x | 4.8.0 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus software components |
| NGINX App Protect DoS | 4.x | 4.3.0 – 4.7.0 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus software components |
| NGINX Gateway Fabric | 2.x | 2.0.0 – 2.5.1 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus or NGINX Open Source software components |
| 1.x | 1.3.0 – 1.6.2 | None | |||
| NGINX Ingress Controller | 5.x | 5.0.0 – 5.4.1 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus or NGINX Open Source software components |
| 4.x | 4.0.0 – 4.0.1 | None | |||
| 3.x | 3.5.0 – 3.7.2 | None | |||
| NGINX (all other products) | All | None | Not applicable | Not vulnerable | None |
1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy.
admin
Author at The Sharing KH
Knowledge
News
News