Service Notices

All Notices > Security Notices > NGINX ngx_http_rewrite_module Heap Buffer Overflow Vulnerability (CVE-2026-42945)

NGINX ngx_http_rewrite_module Heap Buffer Overflow Vulnerability (CVE-2026-42945)

May 18, 2026 GMT+08:00

I. Overview

Huawei Cloud noticed that NGINX released an official update to fix a severe ngx_http_rewrite_module heap buffer overflow vulnerability (CVE-2026-42945). This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process and abnormal restart, resulting in denial of service (DoS). In certain system configurations, code can be remotely executed. The details and POC of this vulnerability have been disclosed and the risk is high.

NGINX, an open-source, high-performance HTTP and reverse proxy server, is widely used to build modern websites and microservice architectures. If you are an NGINX user, check your versions and implement timely security hardening.

References:

https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability

https://github.com/DepthFirstDisclosures/Nginx-Rift

https://nginx.org/en/security_advisories.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

0.6.27 <= NGINX Open Source <= 0.9.7

1.0.0 <= NGINX Open Source <= 1.30.0

R32 <= NGINX Plus < R32 P6

R36 <= NGINX Plus < R36 P4

Other affected components and versions:

2.16.0 <= NGINX Instance Manager <= 2.21.1

5.9.0 <= F5 WAF for NGINX <= 5.12.1

4.9.0 <= NGINX App Protect WAF <= 4.16.0

5.1.0 <= NGINX App Protect WAF <= 5.8.0

F5 DoS for NGINX 4.8.0

4.3.0 <= NGINX App Protect DoS <= 4.7.0

1.3.0 <= NGINX Gateway Fabric <= 1.6.2

2.0.0 <= NGINX Gateway Fabric <= 2.5.1

3.5.0 <= NGINX Ingress Controller <= 3.7.2

4.0.0 <= NGINX Ingress Controller <= 4.0.1

5.0.0 <= NGINX Ingress Controller <= 5.4.1

Secure versions:

NGINX Open Source >= 1.30.1

NGINX Open Source >= 1.31.0

NGINX Plus R32 >= R32 P6

NGINX Plus R36 >= R36 P4

For other affected components, you should upgrade them to the corresponding fixed versions by referring to MyF5 official announcement.

IV. Vulnerability Handling

1. This vulnerability has been fixed in a security version. If your service version falls into the affected range, upgrade it to the secure version.

https://my.f5.com/manage/s/article/K000161019

2. Mitigation measures:

If the affected users cannot perform the upgrade in a timely manner, perform the following operations:

Change unnamed capturing groups to named capturing groups in the affected rewrite directives.

Before the fix:

rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;

After the fix:

rewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ /profile.php?id=$user_id&tab=$section last;

Note: Before fixing the vulnerability, back up your files and conduct a thorough test.