nginx CVE-2026-42945: rewrite heap overflow in 0.6.27–1.30.0, RCE without ASLR
Contents
TL;DR
Impact nginx 0.6.27–1.30.0, nginx Plus, Ingress Controller, WAF products, etc. Affects configs using ngx_http_rewrite_module with specific rewrite / if / set sequences
Fix Update to nginx 1.30.1 stable or 1.31.0 mainline. For nginx Plus and related products, follow the respective F5 advisories
Interim Review unnamed PCRE captures ($1, $2, etc.) with ? in replacement strings, followed by another rewrite / if / set
F5 disclosed CVE-2026-42945 in nginx’s ngx_http_rewrite_module on May 13, 2026.
Affected versions span nginx 0.6.27 through 1.30.0, with fixes in 1.30.1 stable and 1.31.0 mainline.
The CNA (F5) scores it CVSS v4.0 9.2 CRITICAL and CVSS v3.1 8.1 HIGH on NVD.
The catch is that this is not “use nginx, get RCE.”
It’s “certain legacy rewrite patterns cause a heap corruption in the worker process when hit with a crafted URI.”
Config-dependent, so scanner version checks alone won’t tell you if your environment is exposed.
You need to look at the actual nginx config files—hand-written, template-generated, and migration-tool output alike.
The broken buffer calculation in rewrite
The trigger conditions are quite specific.
Per the oss-sec post citing the F5 advisory and the NVD description, the issue fires when a rewrite directive is followed by another rewrite, if, or set, and the replacement string combines unnamed PCRE captures ($1, $2, etc.) with ?.
Depthfirst’s technical writeup explains that nginx calculates the output buffer size assuming one escaping scheme but writes using a different one, causing writes past the allocated region.
The result is a heap-based buffer overflow (CWE-122) in the nginx worker process.
Typically this manifests as a worker crash and respawn, but on systems with ASLR disabled, code execution is reachable.
# Structural example only. Not for production use.
rewrite ^/old/(.*)$ /new?path=$1 last;
set $marker "value";The attack depends not just on the URI payload but on server-side configuration.
Old PHP apps, CMS migrations, .htaccess conversion output, and admin-panel-injected custom snippets are places where these patterns tend to hide—often in generated configs rather than hand-written ones.
1.30.1 patches more than just CVE-2026-42945
The nginx.org announcement on May 13 lists multiple vulnerabilities fixed in 1.30.1 stable and 1.31.0 mainline.
The same release addresses an HTTP/2 request injection in ngx_http_proxy_module, buffer overreads in ngx_http_scgi_module / ngx_http_uwsgi_module, a buffer overread in ngx_http_charset_module, HTTP/3 address spoofing, and a use-after-free in the OCSP resolver.
The nginx security page lists CVE-2026-42945 severity as “medium,” while NVD’s CNA score is CVSS v4.0 9.2.
This gap likely reflects nginx’s view that the bug requires specific config conditions and is mitigated by ASLR, versus the CNA score weighting unauthenticated network access and high impact on confidentiality, integrity, and availability.
For patching decisions, checking whether the target config patterns exist, whether the endpoint is internet-facing, and what the worker process can access matters more than the severity label.
As I wrote in the piece on NIST NVD abandoning full CVE enrichment, freshly published CVEs often have CNA and vendor advisory data before NVD completes its own analysis.
This one is no exception—the NVD page has F5-sourced descriptions, CVSS vectors, and CWE-122, but NVD’s own enrichment is still pending.
Different from the nginx-ui CVEs
The nginx-ui MCP endpoint auth bypass CVE-2026-33032 I wrote about in April was an authentication issue in the web management tool, not in nginx itself.
That one let unauthenticated requests reach /mcp_message to read and write config files.
CVE-2026-42945 is memory corruption in nginx core’s rewrite processing.
Operationally, though, they connect.
Management tools like nginx-ui, hosting panels, and .htaccess converters that generate nginx configs from user input can silently place rewrite rules that meet CVE-2026-42945’s trigger conditions.
A config passing nginx -t is not a guarantee that it avoids this vulnerability.
What to check before updating
The fastest fix is upgrading nginx to 1.30.1 or 1.31.0.
For environments waiting on package distribution, start with config review.
Look for rewrite directives with unnamed captures, ? in the replacement string, and a subsequent rewrite / if / set.
A simple grep rewrite will miss included snippets and template-generated output.
nginx -T dumps the fully expanded config—vhosts, locations, included confs all in one shot—which is faster to scan.
On the Kubernetes side, Ingress Controllers and WAF products are also in scope.
But the final nginx config that annotations and ConfigMaps expand into varies by controller implementation and version.
Don’t stop at the manifests—check the actual generated nginx.conf.
To this day I can’t write rewrite rules from memory, and I’ve never gotten one right on the first try.
This site’s lab has an .htaccess generator, if you’d rather not leave it all to AI.