CVE-2026-42945
Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
4- PoC Code Published for Critical NGINX VulnerabilitySecurityWeek · May 16, 2026
- 18-year-old NGINX vulnerability allows DoS, potential RCEBleepingComputer · May 14, 2026
- F5 Patches Over 50 VulnerabilitiesSecurityWeek · May 14, 2026
- 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCEThe Hacker News · May 14, 2026