Overview
- Security researchers and F5 disclosed CVE-2026-42945, a critical heap overflow in NGINX’s rewrite module that can allow remote code execution or crash worker processes.
- The flaw is triggered by rewrite rules that use unnamed regex captures like $1 with a replacement that includes a question mark, letting a single crafted HTTP request overrun memory.
- Fixes are out for NGINX Open Source (1.30.1 and 1.31.0), NGINX Plus (R32 P6 and R36 P4), and multiple F5/NGINX products including Instance Manager, App Protect, DoS, Gateway Fabric, and Ingress Controller.
- Admins who cannot upgrade can replace unnamed captures with named captures in affected rewrite directives to block the vulnerable code path and reduce risk.
- No exploitation has been reported at disclosure, and researchers note RCE is harder with ASLR enabled, though crashing workers for denial of service is straightforward on vulnerable setups.