CVE-2026-42945

Name of the Vulnerable Software and Affected Versions NGINX Open Source versions 0.6.27 through 1.30.0 NGINX Plus versions R32 through R36 NGINX Instance Manager versions 2.16.0 through 2.21.1 F5 WAF for NGINX (affected versions not specified) App Protect WAF and DoS (affected versions not specified) NGINX Gateway Fabric (affected versions not specified) NGINX Ingress Controller (affected versions not specified)

Description A heap buffer overflow exists in the ngx http rewrite module module of NGINX. This issue occurs when a rewrite directive is followed by a rewrite, if, or set directive and utilizes an unnamed Perl-Compatible Regular Expression (PCRE) capture (such as $1 or $2) with a replacement string containing a question mark (?). The root cause is an is args flag mismatch between the script engine's length pass and copy pass, which results in an undersized heap allocation while the write process expands escaped characters, overflowing the buffer. An unauthenticated attacker can exploit this by sending crafted HTTP requests, potentially causing the NGINX worker process to restart, leading to a denial-of-service. On systems where Address Space Layout Randomization (ASLR)—a security technique that randomly arranges the address space positions of key data areas of a process—is disabled, remote code execution is possible. Approximately 18.9 million exposed NGINX instances have been identified worldwide.

Recommendations Upgrade NGINX Open Source to versions 1.30.1 or 1.31.0. Upgrade NGINX Plus to versions R32 P6, R35 P2, or R36 P4. As a temporary workaround, replace unnamed captures with named ones (e.g., (?<name>...)) or remove the ? from the replacement string and reload NGINX.