NGINX Heap Buffer Overflow Vulnerability (CVE-2026-42945) Security Risk Notice

NGINX is a high-performance, lightweight open source Web server and reverse proxy service. It is widely used in static resource hosting, Load Balancer, API gateway, cache acceleration and other scenarios. It supports HTTP/HTTPS, WebDAV, HTTP/3 and other protocols. It has characteristics such as high concurrency, low resource occupation, and modular expansion. It is the mainstream server-side basic software on the global Internet and is deployed in large numbers by government and enterprises, cloud manufacturers, and Internet enterprises. ngx_http_rewrite_module is the core built-in module of NGINX. It is used to dynamically modify request URIs, implement URL rewriting/redirection, conditional routing, and variable operations based on PCRE regular expressions.

>>>>

vulnerability description

Recently, Qianxin CERT detected an official fix of the NGINX ngx_http_rewrite_module heap buffer overflow vulnerability (CVE-2026-42945). The vulnerability originated from the inconsistency between the allocation length of the heap buffer and the actual write length due to an error in internal flag bit management when processing a specific rewrite instruction, causing a heap buffer overflow. An unauthenticated attacker can trigger a vulnerability by sending a constructed HTTP request, causing the Worker process to crash and, in certain circumstances, remote code execution. The vulnerability affects most NGINX versions from 0.6.27 to 1.30.0 and has existed in the code base for 18 years. Currently, PoC and technical details of this vulnerability have been made public. In view of the large impact of this vulnerability, customers are recommended to conduct self-examination and protection as soon as possible.

>>>>

utilization conditions

In Nginx's configuration, there must be a rewrite instruction, and this instruction also satisfies:

1. Unnamed PCRE regular catches are used (e.g.,$1, $2, etc.).

2. Its replacement string contains a question mark (?).

3. This rewrite instruction is followed by another rewrite, if, or set instruction.

affected version

1.0.0 <= NGINX Open Source <= 1.30.0

0.6.27 <= NGINX Open Source <= 0.9.7

R32 <= NGINX Plus < R32 P6

R36 <= NGINX Plus < R36 P4

>>>>

Other affected components

2.16.0 <= NGINX Instance Manager <= 2.21.1

5.9.0 <= F5 WAF for NGINX <= 5.12.1

4.9.0 <= NGINX App Protect WAF <= 4.16.0

5.1.0 <= NGINX App Protect WAF <= 5.8.0

F5 DoS for NGINX 4.8.0

4.3.0 <= NGINX App Protect DoS <= 4.7.0

1.3.0 <= NGINX Gateway Fabric <= 1.6.2

2.0.0 <= NGINX Gateway Fabric <= 2.5.1

3.5.0 <= NGINX Ingress Controller <= 3.7.2

4.0.0 <= NGINX Ingress Controller <= 4.0.1

5.0.0 <= NGINX Ingress Controller <= 5.4.1