https://my.f5.com/manage/s/article/K000161019 advises:
NGINX Plus and NGINX Open Source have a vulnerability in the
ngx_http_rewrite_module module. This vulnerability exists when the
rewrite directive is followed by a rewrite, if, or set directive and
an unnamed Perl-Compatible Regular Expression (PCRE) capture (for
example, $1, $2) with a replacement string that includes a question
mark (?). An unauthenticated attacker along with conditions beyond its
control can exploit this vulnerability by sending crafted HTTP
requests. This may cause a heap buffer overflow in the NGINX worker
process leading to a restart. Additionally, for systems with Address
Space Layout Randomization (ASLR ) disabled, code execution is
possible. (CVE-2026-42945)
Versions 0.6.27 through 1.30.0 of the open source release are reported
vulnerable, with fixes listed in 1.31.0 and 1.30.1. CVSS scores are
shown as High/8.1 (CVSS v3.1) or Critical/9.2 (CVSS v4.0).
https://depthfirst.com/nginx-rift provides more information about the
vulnerability and how it was found, with this summary:
An 18 year old memory corruption flaw in NGINX Plus and NGINX Open
Source lets an unauthenticated attacker crash worker processes or
execute remote code with crafted HTTP requests.
A bug in the ngx_http_rewrite_module lets a remote, unauthenticated
attacker corrupt the heap of an NGINX worker process by sending
crafted URI. The trigger is a common configuration pattern: a rewrite
directive with an unnamed regex capture ($1, $2) and a replacement
string that contains a question mark, followed by another rewrite, if,
or set directive.
When that pattern is present, NGINX computes the destination buffer
using one set of escaping assumptions and then writes to it using
another. The write runs past the allocated buffer, producing
deterministic memory corruption.
Any NGINX deployment running an affected version with that pattern is
exposed until it is patched or reconfigured.
https://github.com/nginx/nginx/releases/tag/release-1.30.1 lists additional
CVE's fixed in this release:
nginx-1.30.1 stable version has been released with fixes for HTTP/2
request injection vulnerability in the ngx_http_proxy_module
(CVE-2026-42926), buffer overflow vulnerability in the
ngx_http_rewrite_module (CVE-2026-42945), buffer overread
vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module
(CVE-2026-42946), buffer overread vulnerability in the
ngx_http_charset_module (CVE-2026-42934), address spoofing
vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free
vulnerability in OCSP requests to resolver (CVE-2026-40701).
https://github.com/nginx/nginx/releases/tag/release-1.31.0 similarly lists
for that release:
nginx-1.31.0 mainline version has been released with fixes for HTTP/2
request injection vulnerability in the ngx_http_proxy_module
(CVE-2026-42926), buffer overflow vulnerability in the
ngx_http_rewrite_module (CVE-2026-42945), buffer overread
vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module
(CVE-2026-42946), buffer overread vulnerability in the
ngx_http_charset_module (CVE-2026-42934), address spoofing
vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free
vulnerability in OCSP requests to resolver (CVE-2026-40701).
Additionally, the release features support for HTTP forward proxy.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
