CVE- 2026-42945 is a heap memory corruption issue in NGINX’s rewrite module (ngx_http_rewrite_module) that can lead to a heap-based buffer overflow during rewrite processing. The vulnerability is remotely reachable over HTTP and can be triggered without authentication when specific rewrite-rule patterns are present, making internet-facing NGINX reverse proxies potentially at risk.
DoS is the most consistently described outcome, with worker crashes and restarts, while researchers note a potential for remote code execution in certain environments, particularly where ASLR is disabled. Affected versions are NGINX Open Source 0.6.27 through 1.30.0, with fixes in 1.30.1+ and 1.31.0+; organisations should verify the actual version and whether their builds include the triggering rewrite rules.
Reports describe a pattern involving unnamed PCRE captures and a replacement string containing a question mark, followed by another directive, which tends to surface in environments that rely on rewrite chains for routing or fronting applications. According to SOCRadar, the vulnerability was introduced around 2008 and has seen disclosures and coverage in 2026, with the PoC demonstrating unauthenticated RCE under ASLR disabled.