{ "threat_severity" : "Critical", "public_date" : "2026-05-13T14:12:43Z", "bugzilla" : { "description" : "nginx: NGINX: Arbitrary Code Execution Vulnerability", "id" : "2477116", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2477116" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-131", "details" : [ "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "A flaw was found in NGINX, specifically within the ngx_http_rewrite_module. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests under specific rewrite configurations. This can lead to a heap buffer overflow in the NGINX worker process, which may result in arbitrary code execution if Address Space Layout Randomization (ASLR), a security technique to prevent exploitation, is disabled. Otherwise, this flaw causes a denial of service due to a restart of the NGINX worker process." ], "statement" : "Critical: This flaw in NGINX's ngx_http_rewrite_module can lead to arbitrary code execution due to a heap buffer overflow if Address Space Layout Randomization (ASLR) is disabled, or a denial of service otherwise. Exploitation requires specific, non-default NGINX rewrite configurations involving unnamed PCRE captures and a question mark in the replacement string.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-18T00:00:00Z", "advisory" : "RHSA-2026:18063", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "nginx-2:1.26.3-2.el10_1.2" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19159", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "nginx-2:1.26.3-6.el10_2.3" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-05-15T00:00:00Z", "advisory" : "RHSA-2026:17790", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "nginx-2:1.26.3-1.el10_0.9" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-05-18T00:00:00Z", "advisory" : "RHSA-2026:18041", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nginx:1.24-8100020260514165201.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-18T00:00:00Z", "advisory" : "RHSA-2026:18029", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nginx-2:1.20.1-24.el9_7.3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19371", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nginx:1.24-9080020260514160836.9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19372", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nginx:1.26-9080020260514152324.9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19374", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nginx-2:1.20.1-28.el9_8.2" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-05-15T00:00:00Z", "advisory" : "RHSA-2026:17791", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "nginx-1:1.20.1-10.el9_0.4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-05-15T00:00:00Z", "advisory" : "RHSA-2026:17751", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "nginx-1:1.20.1-14.el9_2.6" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-05-15T00:00:00Z", "advisory" : "RHSA-2026:17792", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "nginx-1:1.20.1-16.el9_4.6" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-05-15T00:00:00Z", "advisory" : "RHSA-2026:17793", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "nginx:1.24-9040020260514192210.9" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-05-15T00:00:00Z", "advisory" : "RHSA-2026:17752", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "nginx:1.24-9060020260514175739.9" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-05-15T00:00:00Z", "advisory" : "RHSA-2026:17753", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "nginx:1.26-9060020260514170123.9" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-05-15T00:00:00Z", "advisory" : "RHSA-2026:17794", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "nginx-2:1.20.1-22.el9_6.6" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17417", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nginx-main-1.30.1-1.hum1" } ], "package_state" : [ { "product_name" : "Red Hat Lightspeed proxy 1", "fix_state" : "Affected", "package_name" : "insights-proxy/insights-proxy-container-rhel9", "cpe" : "cpe:/a:redhat:insights_proxy:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42945\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42945\nhttps://depthfirst.com/nginx-rift\nhttps://my.f5.com/manage/s/article/K000161019" ], "csaw" : true, "name" : "CVE-2026-42945" }