Back to KEVs

CVE-2026-42945

NGINX ngx_http_rewrite_module vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
April 30, 2026
Published Date
May 13, 2026
Last Updated
May 21, 2026
Vendor
F5
Product
NGINX Plus, NGINX Open Source
Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Scores

CVSS v4.0

9.2 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
none
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-05-19 15:36:39 UTC) Source

References

https://my.f5.com/manage/s/article/K000161019

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2026-05-19 15:36:39 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel