Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <329298cc-fc7e-4d1d-854d-58b3d96da252@oracle.com>
Date: Wed, 13 May 2026 10:55:04 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: NGINX ngx_http_rewrite_module vulnerability
 CVE-2026-42945

https://my.f5.com/manage/s/article/K000161019 advises:
> NGINX Plus and NGINX Open Source have a vulnerability in the
> ngx_http_rewrite_module module. This vulnerability exists when the
> rewrite directive is followed by a rewrite, if, or set directive and
> an unnamed Perl-Compatible Regular Expression (PCRE) capture (for
> example, $1, $2) with a replacement string that includes a question
> mark (?). An unauthenticated attacker along with conditions beyond its
> control can exploit this vulnerability by sending crafted HTTP
> requests. This may cause a heap buffer overflow in the NGINX worker
> process leading to a restart. Additionally, for systems with Address
> Space Layout Randomization (ASLR ) disabled, code execution is
> possible. (CVE-2026-42945)

Versions 0.6.27 through 1.30.0 of the open source release are reported
vulnerable, with fixes listed in 1.31.0 and 1.30.1.  CVSS scores are
shown as High/8.1 (CVSS v3.1) or Critical/9.2 (CVSS v4.0).

https://depthfirst.com/nginx-rift provides more information about the
vulnerability and how it was found, with this summary:
> An 18 year old memory corruption flaw in NGINX Plus and NGINX Open
> Source lets an unauthenticated attacker crash worker processes or
> execute remote code with crafted HTTP requests.
> 
> A bug in the ngx_http_rewrite_module lets a remote, unauthenticated
> attacker corrupt the heap of an NGINX worker process by sending
> crafted URI. The trigger is a common configuration pattern: a rewrite
> directive with an unnamed regex capture ($1, $2) and a replacement
> string that contains a question mark, followed by another rewrite, if,
> or set directive.
> 
> When that pattern is present, NGINX computes the destination buffer
> using one set of escaping assumptions and then writes to it using
> another. The write runs past the allocated buffer, producing
> deterministic memory corruption.
> 
> Any NGINX deployment running an affected version with that pattern is
> exposed until it is patched or reconfigured.

https://github.com/nginx/nginx/releases/tag/release-1.30.1 lists additional
CVE's fixed in this release:
> nginx-1.30.1 stable version has been released with fixes for HTTP/2
> request injection vulnerability in the ngx_http_proxy_module
> (CVE-2026-42926), buffer overflow vulnerability in the
> ngx_http_rewrite_module (CVE-2026-42945), buffer overread
> vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module
> (CVE-2026-42946), buffer overread vulnerability in the
> ngx_http_charset_module (CVE-2026-42934), address spoofing
> vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free
> vulnerability in OCSP requests to resolver (CVE-2026-40701).

https://github.com/nginx/nginx/releases/tag/release-1.31.0 similarly lists
for that release:
> nginx-1.31.0 mainline version has been released with fixes for HTTP/2
> request injection vulnerability in the ngx_http_proxy_module
> (CVE-2026-42926), buffer overflow vulnerability in the
> ngx_http_rewrite_module (CVE-2026-42945), buffer overread
> vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module
> (CVE-2026-42946), buffer overread vulnerability in the
> ngx_http_charset_module (CVE-2026-42934), address spoofing
> vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free
> vulnerability in OCSP requests to resolver (CVE-2026-40701).
> Additionally, the release features support for HTTP forward proxy.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.