Latest NGINX vulnerability: CVE-2026-42945 #
F5 published a security advisory that a high vulnerability was identified in multiple versions of NGINX products.
- CVE-2026-42945: A heap-based buffer overflow vulnerability exists in the ngx_http_rewrite_module component of NGINX products. This vulnerability has been designated CVE-2026-42945 and has been rated High with a CVSS score of 8.1.
The following versions are affected:
- NGINX Plus: Versions R32 through R36
- NGINX Open Source: Versions 1.0.0 through 1.30.0
- NGINX Open Source: Versions 0.6.27 through 0.9.7
- NGINX Instance Manager: Versions 2.16.0 through 2.21.1
- F5 WAF for NGINX: Versions 5.9.0 through 5.12.1
- NGINX App Protect WAF: Versions 5.1.0 through 5.8.0
- NGINX App Protect WAF: Versions 4.9.0 through 4.16.0
- F5 DoS for NGINX: Version 4.8.0
- NGINX App Protect DoS: Versions 4.3.0 through 4.7.0
- NGINX Gateway Fabric: Versions 2.0.0 through 2.5.1
- NGINX Gateway Fabric: Versions 1.3.0 through 1.6.2
- NGINX Ingress Controller: Versions 5.0.0 through 5.4.1
- NGINX Ingress Controller: Versions 4.0.0 through 4.0.1
- NGINX Ingress Controller: Versions 3.5.0 through 3.7.2
What is NGINX? #
Nginx is a high-performance, open-source software used primarily as a web server and reverse proxy to efficiently handle large volumes of simultaneous connections. It is widely favored for its speed and stability, often serving as a load balancer or HTTP cache to optimize the delivery of web content.
What is the impact? #
A remote, unauthenticated attacker could exploit this vulnerability by sending crafted HTTP requests that trigger the vulnerable rewrite processing path, potentially allowing NGINX worker process restart (DoS). In environments where Address Space Layout Randomization (ASLR) is disabled, exploitation may also allow arbitrary code execution.
Are updates or workarounds available? #
Users are encouraged upgrade affected systems to the following versions:
- NGINX Plus Rx: Upgrade to R36 P4, R32 P6 or later
- NGINX Open Source: Upgrade to 1.31.0, 1.30.1 or later
To mitigate the vulnerability, users are encouraged to use named captures instead of unnamed captures within rewrite rules:
For example, the following rewrite directive uses unnamed capture groups: $1 and $2:
rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;For this example, replacing $1 and $2 with $user_id and $section:
rewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ /profile.php?id=$user_id&tab=$section last;How to find potentially vulnerable systems with runZero #
From the Software Inventory, use the following query to locate potentially impacted assets:
((vendor:="F5" OR vendor:="NGINX") AND
(product:="nginx plus" OR product:="nginx" OR product:="nginx ingress controller"))
