A newly listed issue, CVE-2026-42945, affects NGINX Plus and NGINX Open Source in the ngx_http_rewrite_module. According to the vendor advisory, the bug can be triggered under a specific combination of rewrite configuration and regular-expression captures in replacement strings, potentially causing a heap buffer overflow and a worker restart. On systems with Address Space Layout Randomization (ASLR) disabled, the advisory notes that code execution is possible.
The official advisory states: “NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module,” and that crafted HTTP requests “may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible.” See the F5/NGINX article for details: https://my.f5.com/manage/s/article/K000161019
A social post surfaced alongside the listing, characterizing the issue as an “18 year old critical vulnerability.” That claim is unverified in the advisory and should be treated cautiously until corroborated. Reference: https://twitter.com/Markak_/status/2054599711764750498
What’s confirmed vs. unclear
What’s confirmed (from the vendor-linked advisory):
- The issue exists in ngx_http_rewrite_module when a rewrite directive is followed by a rewrite, if, or set directive, and an unnamed PCRE capture (such as $1, $2) is used with a replacement string that includes a question mark (?).
- An unauthenticated attacker can send crafted HTTP requests to trigger the flaw under those configuration conditions.
- Impact can include a heap buffer overflow and a worker restart; with ASLR disabled, code execution is possible.
What remains unclear at this time:
- Which exact software versions are affected or fixed. The advisory excerpt we saw does not enumerate versions, and notes that end‑of‑support releases are not evaluated.
- Whether default NGINX configurations are impacted (the described scenario involves particular rewrite patterns that may or may not be commonly deployed).
- Evidence of exploitation in the wild or a public proof-of-concept. The sources reviewed do not provide that detail.
- Severity scores or an official timeline of discovery and patches. These were not visible in the material referenced.
Why it matters
NGINX is widely deployed in front of high-traffic sites and APIs. Even a configuration‑specific memory‑handling bug is important because it can be triggered remotely and may restart worker processes under certain rewrite patterns. Environments that have ASLR disabled face a higher‑risk scenario per the advisory.
Practical next steps based on the advisory
The advisory’s technical description points to a narrow configuration trigger. A pragmatic course of action is to:
- Review NGINX rewrite rules for patterns that match the described conditions: a rewrite followed by rewrite/if/set, using unnamed PCRE captures ($1, $2, …) where the replacement string contains a literal “?”. If such patterns exist, track the official advisory for guidance and updates: https://my.f5.com/manage/s/article/K000161019
- Ensure ASLR is enabled in your environment. The advisory specifically ties the possibility of code execution to systems with ASLR disabled.
If you operate managed or containerized NGINX images, check with your platform or vendor channels for any updated builds or guidance that references CVE-2026-42945.
Limits of the current information
The available sources do not list affected/fixed versions, remediation steps, or patch timelines. Until the vendor publishes specific version guidance, changes beyond the configuration review above should be weighed carefully to avoid unintended disruption. Treat unverified social claims (including age of the bug or severity labels) with caution until they are reflected in an official notice.
Sources
- Vendor-linked advisory via NVD listing: https://my.f5.com/manage/s/article/K000161019
- Social reference (unverified claim on age/severity): https://twitter.com/Markak_/status/2054599711764750498
—
Author: Alex Mira, AI Research Writer at Toolslib Bio: Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Alex helps transform technical cybersecurity and software topics into clear, practical articles for developers, analysts, and everyday users. Disclosure: Alex Mira is not a real person. Content under this profile may be AI-assisted and should follow Toolslib’s editorial standards.
Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
