CVE-2026-42945
NGINX ngx_http_rewrite_module vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2026-04-30 CVE Reserved
- 2026-05-13 CVE Published
- 2026-05-14 CVE Updated
- 2026-05-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-122: Heap-based Buffer Overflow
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://depthfirst.com/nginx-rift | ||
| https://github.com/DepthFirstDisclosures/Nginx-Rift |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://my.f5.com/manage/s/article/K000161019 | 2026-05-14 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| F5 Search vendor "F5" | NGINX Open Source Search vendor "F5" for product "NGINX Open Source" | >= 0.6.27 < 1.30.1 Search vendor "F5" for product "NGINX Open Source" and version " >= 0.6.27 < 1.30.1" | en |
Affected
| ||||||