FYI Maxim the fix for the buffer overrun in rewrite is a one line patch.
Sent from my Galaxy -------- Original message -------- From: Maxim Dounin <[email protected]> Date: 5/14/26 20:09 (GMT-05:00) To: [email protected] Subject: Re: CVE status Hello! On Thu, May 14, 2026 at 02:15:35PM -0700, [email protected] wrote: > Hi, > > does CVE-2026-42945 apply to freenginx? And if yes, will there be a point > release to fix it? > > Here's the reference: > > https://nvd.nist.gov/vuln/detail/CVE-2026-42945 It does apply. Note though that triggering this bug requires rather specific configuration (a matched "rewrite" which changes request arguments but continues rewrite processing, that is, without "break" or any other flags, followed by a "set" or "if" which uses positional captures or another matched rewrite which uses positional captures and additional variables or duplicate positional captures), and therefore most configurations won't be affected at all. As a reference point, none of the examples provided in the rewrite documentation are affected. I'm currently looking into this, as well as other issues published by F5, and will provide appropriate patches shortly. Once patches are ready, there will be a release. -- Maxim Dounin http://mdounin.ru/
