Heap Buffer Overflow in NGINX ngx_http_rewrite_module via PCRE Capture
CVE-2026-42945 Published on May 13, 2026
NGINX ngx_http_rewrite_module vulnerability
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Vulnerability Analysis
CVE-2026-42945 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Incorrect Calculation of Buffer Size
The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
Products Associated with CVE-2026-42945
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-42945 are published in these products:
Affected Versions
F5 NGINX Plus:- Version R37 and below * is unaffected.
- Version R36 and below R36 P4 is affected.
- Version R32 and below R32 P6 is affected.
- Version 1.31.0 and below * is unaffected.
- Version 0.6.27 and below 1.30.1 is affected.
- Version 2:1.26.3-2.el10_1.2 and below * is unaffected.
- Version 2:1.26.3-6.el10_2.3 and below * is unaffected.
- Version 2:1.26.3-1.el10_0.9 and below * is unaffected.
- Version 8100020260514165201.489197e6 and below * is unaffected.
- Version 2:1.20.1-24.el9_7.3 and below * is unaffected.
- Version 2:1.20.1-28.el9_8.2 and below * is unaffected.
- Version 9080020260514160836.9 and below * is unaffected.
- Version 9080020260514152324.9 and below * is unaffected.
- Version 1:1.20.1-10.el9_0.4 and below * is unaffected.
- Version 1:1.20.1-14.el9_2.6 and below * is unaffected.
- Version 1:1.20.1-16.el9_4.6 and below * is unaffected.
- Version 9040020260514192210.9 and below * is unaffected.
- Version 9060020260514175739.9 and below * is unaffected.
- Version 9060020260514170123.9 and below * is unaffected.
- Version 2:1.20.1-22.el9_6.6 and below * is unaffected.
- Version 1.30.1-1.hum1 and below * is unaffected.
- Version 1779972138 and below * is unaffected.
- Version 1779972283 and below * is unaffected.
- Version 1779972179 and below * is unaffected.
- Version 1779967811 and below * is unaffected.
- Version 1779967813 and below * is unaffected.
- Version 1779968303 and below * is unaffected.
- Version 1779959318 and below * is unaffected.
- Version 1779959527 and below * is unaffected.
- Version 1779959592 and below * is unaffected.
- Version 1779952245 and below * is unaffected.
- Version 1779952279 and below * is unaffected.
- Version 1779952463 and below * is unaffected.
- Version 1779881302 and below * is unaffected.
- Version 1779881608 and below * is unaffected.
- Version 1779881122 and below * is unaffected.
- Version 1779881012 and below * is unaffected.
- Version 1779881008 and below * is unaffected.
- Version 1779881332 and below * is unaffected.
- Version 1779879463 and below * is unaffected.
- Version 1779877770 and below * is unaffected.
- Version 1779881377 and below * is unaffected.
- Version 1779946521 and below * is unaffected.
- Version 1779946525 and below * is unaffected.
- Version 1779946691 and below * is unaffected.
- Version 1779706745 and below * is unaffected.
- Version 1779706797 and below * is unaffected.
- Version 1779798159 and below * is unaffected.
- Version 1779798222 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.