CVE Vulnerabilities

CVE-2026-42945

Heap-based Buffer Overflow

Published: May 13, 2026 | Modified: Jun 27, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
8.1 CRITICAL
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
HIGH
root.io logo minimus.io logo echo.ai logo

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Weakness

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Affected Software

NameVendorStart VersionEnd Version
DosF54.3.0 (including)4.7.0 (including)
DosF54.8.0 (including)4.8.0 (including)
Nginx_gateway_fabricF51.3.0 (including)1.6.2 (including)
Nginx_gateway_fabricF52.0.0 (including)2.5.1 (including)
Nginx_ingress_controllerF53.5.0 (including)3.7.2 (including)
Nginx_ingress_controllerF54.0.0 (including)4.0.1 (including)
Nginx_ingress_controllerF55.0.0 (including)5.4.1 (including)
Nginx_instance_managerF52.16.0 (including)2.21.1 (including)
Nginx_open_sourceF50.6.27 (including)1.30.0 (including)
Nginx_plusF5r32 (including)r36 (including)
WafF54.9.0 (including)4.16.0 (including)
WafF55.1.0 (including)5.8.0 (including)
WafF55.9.0 (including)5.12.1 (including)
Red Hat Enterprise Linux 10RedHatnginx-2:1.26.3-2.el10_1.2*
Red Hat Enterprise Linux 10RedHatnginx-2:1.26.3-6.el10_2.3*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatnginx-2:1.26.3-1.el10_0.9*
Red Hat Enterprise Linux 8RedHatnginx:1.24-8100020260514165201.489197e6*
Red Hat Enterprise Linux 9RedHatnginx-2:1.20.1-24.el9_7.3*
Red Hat Enterprise Linux 9RedHatnginx:1.24-9080020260514160836.9*
Red Hat Enterprise Linux 9RedHatnginx:1.26-9080020260514152324.9*
Red Hat Enterprise Linux 9RedHatnginx-2:1.20.1-28.el9_8.2*
Red Hat Enterprise Linux 9.0 Update Services for SAP SolutionsRedHatnginx-1:1.20.1-10.el9_0.4*
Red Hat Enterprise Linux 9.2 Update Services for SAP SolutionsRedHatnginx-1:1.20.1-14.el9_2.6*
Red Hat Enterprise Linux 9.4 Extended Update SupportRedHatnginx-1:1.20.1-16.el9_4.6*
Red Hat Enterprise Linux 9.4 Extended Update SupportRedHatnginx:1.24-9040020260514192210.9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatnginx:1.24-9060020260514175739.9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatnginx:1.26-9060020260514170123.9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatnginx-2:1.20.1-22.el9_6.6*
Red Hat Hardened ImagesRedHatnginx-main-1.30.1-1.hum1*
Red Hat Openshift Data Foundation 4.14RedHatodf4/ocs-client-console-rhel9:1779972138*
Red Hat Openshift Data Foundation 4.14RedHatodf4/odf-console-rhel9:1779972283*
Red Hat Openshift Data Foundation 4.14RedHatodf4/odf-multicluster-console-rhel9:1779972179*
Red Hat Openshift Data Foundation 4.15RedHatodf4/ocs-client-console-rhel9:1779967811*
Red Hat Openshift Data Foundation 4.15RedHatodf4/odf-console-rhel9:1779967813*
Red Hat Openshift Data Foundation 4.15RedHatodf4/odf-multicluster-console-rhel9:1779968303*
Red Hat Openshift Data Foundation 4.16RedHatodf4/ocs-client-console-rhel9:1779959318*
Red Hat Openshift Data Foundation 4.16RedHatodf4/odf-console-rhel9:1779959527*
Red Hat Openshift Data Foundation 4.16RedHatodf4/odf-multicluster-console-rhel9:1779959592*
Red Hat Openshift Data Foundation 4.17RedHatodf4/ocs-client-console-rhel9:1779952245*
Red Hat Openshift Data Foundation 4.17RedHatodf4/odf-console-rhel9:1779952279*
Red Hat Openshift Data Foundation 4.17RedHatodf4/odf-multicluster-console-rhel9:1779952463*
Red Hat Openshift Data Foundation 4.18RedHatodf4/ocs-client-console-rhel9:1779881302*
Red Hat Openshift Data Foundation 4.18RedHatodf4/odf-console-rhel9:1779881608*
Red Hat Openshift Data Foundation 4.18RedHatodf4/odf-multicluster-console-rhel9:1779881122*
Red Hat Openshift Data Foundation 4.19RedHatodf4/ocs-client-console-rhel9:1779881012*
Red Hat Openshift Data Foundation 4.19RedHatodf4/odf-console-rhel9:1779881008*
Red Hat Openshift Data Foundation 4.19RedHatodf4/odf-multicluster-console-rhel9:1779881332*
Red Hat Openshift Data Foundation 4.2RedHatodf4/ocs-client-console-rhel9:1779879463*
Red Hat Openshift Data Foundation 4.2RedHatodf4/odf-console-rhel9:1779877770*
Red Hat Openshift Data Foundation 4.2RedHatodf4/odf-multicluster-console-rhel9:1779881377*
Red Hat Openshift Data Foundation 4.21RedHatodf4/ocs-client-console-rhel9:1779946521*
Red Hat Openshift Data Foundation 4.21RedHatodf4/odf-console-rhel9:1779946525*
Red Hat Openshift Data Foundation 4.21RedHatodf4/odf-multicluster-console-rhel9:1779946691*
Red Hat Satellite 6.18RedHatsatellite/iop-gateway-rhel9:1779706745*
Red Hat Satellite 6.19RedHatsatellite/iop-gateway-rhel9:1779706797*
Red Hat Update Infrastructure 5RedHatrhui5/cds-rhel9:1779798159*
Red Hat Update Infrastructure 5RedHatrhui5/rhua-rhel9:1779798222*
NginxUbuntuesm-infra-legacy/trusty*
NginxUbuntuesm-infra-legacy/xenial*
NginxUbuntuesm-infra/bionic*
NginxUbuntuesm-infra/focal*
NginxUbuntuesm-infra/xenial*
NginxUbuntujammy*
NginxUbuntunoble*
NginxUbuntuquesting*
NginxUbunturesolute*
NginxUbuntuupstream*

Potential Mitigations

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
  • Run or compile the software using features or extensions that randomly arrange the positions of a program’s executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as “rebasing” (for Windows) and “prelinking” (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].

References