NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

A flaw was found in NGINX, specifically within the ngx_http_rewrite_module. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests under specific rewrite configurations. This can lead to a heap buffer overflow in the NGINX worker process, which may result in arbitrary code execution if Address Space Layout Randomization (ASLR), a security technique to prevent exploitation, is disabled. Otherwise, this flaw causes a denial of service due to a restart of the NGINX worker process.

Critical: This flaw in NGINX's ngx_http_rewrite_module can lead to arbitrary code execution due to a heap buffer overflow if Address Space Layout Randomization (ASLR) is disabled, or a denial of service otherwise. Exploitation requires specific, non-default NGINX rewrite configurations involving unnamed PCRE captures and a question mark in the replacement string. Red Hat Enterprise Linux 10 2026-05-18T00:00:00Z RHSA-2026:18063 nginx-2:1.26.3-2.el10_1.2 Red Hat Enterprise Linux 10 2026-05-19T00:00:00Z RHSA-2026:19159 nginx-2:1.26.3-6.el10_2.3 Red Hat Enterprise Linux 10.0 Extended Update Support 2026-05-15T00:00:00Z RHSA-2026:17790 nginx-2:1.26.3-1.el10_0.9 Red Hat Enterprise Linux 8 2026-05-18T00:00:00Z RHSA-2026:18041 nginx:1.24-8100020260514165201.489197e6 Red Hat Enterprise Linux 9 2026-05-18T00:00:00Z RHSA-2026:18029 nginx-2:1.20.1-24.el9_7.3 Red Hat Enterprise Linux 9 2026-05-19T00:00:00Z RHSA-2026:19371 nginx:1.24-9080020260514160836.9 Red Hat Enterprise Linux 9 2026-05-19T00:00:00Z RHSA-2026:19372 nginx:1.26-9080020260514152324.9 Red Hat Enterprise Linux 9 2026-05-19T00:00:00Z RHSA-2026:19374 nginx-2:1.20.1-28.el9_8.2 Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions 2026-05-15T00:00:00Z RHSA-2026:17791 nginx-1:1.20.1-10.el9_0.4 Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions 2026-05-15T00:00:00Z RHSA-2026:17751 nginx-1:1.20.1-14.el9_2.6 Red Hat Enterprise Linux 9.4 Extended Update Support 2026-05-15T00:00:00Z RHSA-2026:17792 nginx-1:1.20.1-16.el9_4.6 Red Hat Enterprise Linux 9.4 Extended Update Support 2026-05-15T00:00:00Z RHSA-2026:17793 nginx:1.24-9040020260514192210.9 Red Hat Enterprise Linux 9.6 Extended Update Support 2026-05-15T00:00:00Z RHSA-2026:17752 nginx:1.24-9060020260514175739.9 Red Hat Enterprise Linux 9.6 Extended Update Support 2026-05-15T00:00:00Z RHSA-2026:17753 nginx:1.26-9060020260514170123.9 Red Hat Enterprise Linux 9.6 Extended Update Support 2026-05-15T00:00:00Z RHSA-2026:17794 nginx-2:1.20.1-22.el9_6.6 Red Hat Hardened Images 2026-05-14T00:00:00Z RHSA-2026:17417 nginx-main-1.30.1-1.hum1 Red Hat Satellite 6.18 2026-05-25T00:00:00Z RHSA-2026:20442 satellite/iop-gateway-rhel9:1779706745 Red Hat Satellite 6.19 2026-05-25T00:00:00Z RHSA-2026:20444 satellite/iop-gateway-rhel9:1779706797 Red Hat Update Infrastructure 5 2026-05-27T00:00:00Z RHSA-2026:21275 rhui5/cds-rhel9:1779798159 Red Hat Update Infrastructure 5 2026-05-27T00:00:00Z RHSA-2026:21275 rhui5/rhua-rhel9:1779798222 Red Hat Lightspeed proxy 1 Affected insights-proxy/insights-proxy-container-rhel9 Red Hat Openshift Data Foundation 4 Affected odf4/ocs-client-console-rhel9 Red Hat Openshift Data Foundation 4 Affected odf4/odf-console-rhel9 Red Hat Openshift Data Foundation 4 Affected odf4/odf-multicluster-console-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-42945 https://nvd.nist.gov/vuln/detail/CVE-2026-42945 https://depthfirst.com/nginx-rift https://my.f5.com/manage/s/article/K000161019 True