CVE-2026-42945
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
8 articles across 4 outlets · first covered May 14, 2026 · latest May 18, 2026
Tracked incidents
Coverage timeline
-
Hackers Exploit NGINX Zero Day CVE-2026-42945 in Wildwww.securityweek.com · May 18, 2026
-
NGINX Rift flaw CVE-2026-42945 exploited despite ASLR mitigationssecurityaffairs.com · May 18, 2026
-
CVE-2026-42945 Exploit Seen In Wild, NGINX Users Urged To Patchthehackernews.com · May 17, 2026
-
PoC Code Published for Critical NGINX Vulnerabilitywww.securityweek.com · May 16, 2026
-
NGINX Rift flaw lets attackers run code with one HTTP requestsecurityaffairs.com · May 14, 2026
-
CVE-2026-42945: NGINX Rewrite Bug Allows Remote Code Executionsocradar.io · May 14, 2026
-
F5 fixes NGINX heap overflow and iControl REST command injectionwww.securityweek.com · May 14, 2026
-
NGINX Rift Bug Lets Attackers Run Code Remotely via Malicious URIthehackernews.com · May 14, 2026