Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow exists in the nginx rewrite module when a rewrite, if, or set directive is followed by an unnamed Perl-Compatible Regular Expression capture with a replacement string that includes a question mark. An unauthenticated attacker, along with conditions beyond its control, can exploit this vulnerability by sending crafted HTTP requests to the affected server. The overflow may trigger a worker process restart, and if the system has Address Space Layout Randomization disabled, the vulnerability can be leveraged to achieve code execution at the worker process level.

Affected Systems

The vulnerability affects F5’s NGINX Open Source and NGINX Plus distributions. No specific product versions are listed in the CNA data; affected releases are those containing the vulnerable rewrite module code path.

Risk and Exploitability

The CVSS score of 9.2 classifies the flaw as critical. The EPSS score of < 1% indicates a very low but non‑zero likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a network‑based, unauthenticated HTTP request that triggers the vulnerable rewrite logic. Exploitation requires that the rewrite configuration includes the described pattern; if ASLR is disabled, the resulting buffer overflow can lead to arbitrary code execution.

Generated by OpenCVE AI on May 21, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade F5 NGINX Open Source or NGINX Plus to the latest supported release that contains the fix for the rewrite module overflow.
  • If an upgrade is not immediately possible, modify or remove the vulnerable rewrite directives that use unnamed captures with question marks, or replace them with safer syntax that does not expose the overflow.
  • Ensure that Address Space Layout Randomization is enabled on the operating system to mitigate the risk of code execution when the buffer overflow occurs.
  • If the vulnerable configuration cannot be altered, apply network‑level controls to restrict which clients can reach the affected rewrite directives, such as firewall rules or ACLs that block or limit request origins.

Generated by OpenCVE AI on May 21, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4589-1 nginx security update
Debian DSA Debian DSA DSA-6278-1 nginx security update
Ubuntu USN Ubuntu USN USN-8271-1 nginx vulnerability
Ubuntu USN Ubuntu USN USN-8375-1 nginx vulnerabilities
History

Thu, 21 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 14 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 threat_severity

Critical

Thu, 14 May 2026 02:30:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_rewrite_module vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-21T18:28:55.718Z

Reserved: 2026-04-30T23:04:27.955Z

Link: CVE-2026-42945

cve-icon Vulnrichment

Updated: 2026-05-14T18:54:21.853Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:50.190

Modified: 2026-05-21T19:16:53.100

Link: CVE-2026-42945

cve-icon Redhat

Severity : Critical

Publid Date: 2026-05-13T14:12:43Z

Links: CVE-2026-42945 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T21:00:16Z

Weaknesses