CVE-2026-42945

Name	CVE-2026-42945
Description	NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-6278-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
nginx (PTS)	bullseye	1.18.0-6.1+deb11u3	vulnerable
	bullseye (security)	1.18.0-6.1+deb11u5	vulnerable
	bookworm	1.22.1-9+deb12u6	vulnerable
	bookworm (security)	1.22.1-9+deb12u7	fixed
	trixie	1.26.3-3+deb13u4	vulnerable
	trixie (security)	1.26.3-3+deb13u5	fixed
	forky	1.30.0-2	vulnerable
	sid	1.30.0-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
nginx	source	bookworm	1.22.1-9+deb12u7	DSA-6278-1
nginx	source	trixie	1.26.3-3+deb13u5	DSA-6278-1
nginx	source	(unstable)	1.30.0-3

Notes

https://www.openwall.com/lists/oss-security/2026/05/13/7
https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
https://my.f5.com/manage/s/article/K000161019
https://nginx.org/en/security_advisories.html
https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686 (release-1.30.1)