CVE-2026-42945

Name of the Vulnerable Software and Affected Versions NGINX Plus and NGINX Open Source versions 0.6.27 through 1.30.0

Description A heap buffer overflow exists in the ngx http rewrite module module. The issue occurs when a rewrite directive is followed by a rewrite, if, or set directive and utilizes an unnamed Perl-Compatible Regular Expression (PCRE) capture (e.g., $1, $2) with a replacement string containing a question mark (?). This is caused by inconsistent state management in the internal rewrite engine where an is args flag remains enabled between the memory allocation pass and the data copy pass, leading to an out-of-bounds write when processing escaped URI characters.

An unauthenticated remote attacker can exploit this by sending crafted HTTP requests. This typically results in a crash of the NGINX worker process, causing a denial of service. However, on systems where Address Space Layout Randomization (ASLR) is disabled or bypassed, remote code execution is possible. Approximately 5.7 million internet-facing servers were estimated to be potentially vulnerable, and real-world exploitation has been observed shortly after public disclosure.

Recommendations Update NGINX Open Source to versions 1.30.1 or 1.31.0. Update NGINX Plus to versions 37.0.0, R36 P4, or R32 P6. As a temporary mitigation, replace all unnamed PCRE captures with named captures in the affected rewrite, if, or set directives.