Public bug reported: Summary ------- A heap-based buffer overflow (CWE-122) affects the nginx source package in all currently supported Ubuntu releases. The flaw resides in src/http/ngx_http_script.c inside ngx_http_rewrite_module and is reachable by unauthenticated remote attackers via crafted HTTP requests when a vulnerable configuration pattern is present. CVSS v4.0 9.2 (Critical) / CVSS v3.1 8.1 (High) per F5.
CVE: CVE-2026-42945 Public disclosure: 2026-05-13 (F5 coordinated advisory K000161019; also tracked publicly as "NGINX Rift"). Affected upstream versions -------------------------- nginx Open Source 0.6.27 through 1.30.0 (i.e. every version shipped by Ubuntu in supported releases, including 1.18.0 in focal, 1.18.0 in jammy, and 1.24.0 in noble; please confirm against the archive for any interim releases). Fixed upstream in 1.30.1 and 1.31.0. Impact ------ - Reachable from the network with no authentication and no prior session. - Deterministic heap corruption in the worker process; bytes written past the allocation are derived from the attacker-controlled URI. - Confirmed outcome: worker process crash (DoS via repeated requests keeps workers in a restart loop). - Code execution in the worker is possible on builds where ASLR is disabled. Ubuntu enables ASLR by default, but the heap corruption itself is still a high-severity issue and exploitability on hardened builds should not be assumed safe. Trigger ------- The bug is reached when a rewrite directive uses an unnamed PCRE capture ($1, $2, ...) with a replacement string containing a question mark, and is followed in the same scope by another rewrite, if, or set directive. Vulnerable config pattern: rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last; Root cause ---------- When the rewrite replacement contains '?', ngx_http_script_start_args_code sets e->is_args = 1 on the main script engine and never clears it. The subsequent ngx_http_script_complex_value_code recomputes the destination length using a freshly zeroed sub-engine, so ngx_http_script_copy_capture_len_code measures the capture as raw bytes. The actual copy then runs on the main engine, which still has is_args = 1, so ngx_http_script_copy_capture_code re-escapes the capture through ngx_escape_uri in NGX_ESCAPE_ARGS mode. Each '+', '%', or '&' byte in the capture expands by two bytes, but the destination was sized for the raw length. The write runs past the allocation. Requested action ---------------- Backport the upstream fix (present in 1.30.1 / 1.31.0) to the nginx packages in all supported Ubuntu releases (focal/ESM, jammy, noble, and any interim releases shipping an affected version), and publish via -security. Workaround (for the SRU description / USN, not a substitute for the fix) ------------------------------------------------------------------------ Replace unnamed PCRE captures with named captures in any rewrite directive whose replacement contains a '?' and which is followed by rewrite/if/set in the same scope: rewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ /profile.php?id=$user_id&tab=$section last; References ---------- - CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-42945 - F5 advisory: https://my.f5.com/manage/s/article/K000161019 - Writeup: https://depthfirst.com/nginx-rift ** Affects: nginx (Ubuntu) Importance: Undecided Status: New ** Description changed: - Aquí tienes ambos. Pensado para pegar tal cual en - https://bugs.launchpad.net/ubuntu/+source/nginx/+filebug. - - Subject: - CVE-2026-42945: heap-based buffer overflow in ngx_http_rewrite_module (NGINX Rift) - Description: Summary ------- A heap-based buffer overflow (CWE-122) affects the nginx source package in all currently supported Ubuntu releases. The flaw resides in src/http/ngx_http_script.c inside ngx_http_rewrite_module and is reachable by unauthenticated remote attackers via crafted HTTP requests when a vulnerable configuration pattern is present. CVSS v4.0 9.2 (Critical) / CVSS v3.1 8.1 (High) per F5. CVE: CVE-2026-42945 Public disclosure: 2026-05-13 (F5 coordinated advisory K000161019; also tracked publicly as "NGINX Rift"). Affected upstream versions -------------------------- nginx Open Source 0.6.27 through 1.30.0 (i.e. every version shipped by Ubuntu in supported releases, including 1.18.0 in focal, 1.18.0 in jammy, and 1.24.0 in noble; please confirm against the archive for any interim releases). Fixed upstream in 1.30.1 and 1.31.0. Impact ------ - Reachable from the network with no authentication and no prior session. - Deterministic heap corruption in the worker process; bytes written past the - allocation are derived from the attacker-controlled URI. + allocation are derived from the attacker-controlled URI. - Confirmed outcome: worker process crash (DoS via repeated requests keeps - workers in a restart loop). + workers in a restart loop). - Code execution in the worker is possible on builds where ASLR is disabled. - Ubuntu enables ASLR by default, but the heap corruption itself is still a - high-severity issue and exploitability on hardened builds should not be - assumed safe. + Ubuntu enables ASLR by default, but the heap corruption itself is still a + high-severity issue and exploitability on hardened builds should not be + assumed safe. Trigger ------- The bug is reached when a rewrite directive uses an unnamed PCRE capture ($1, $2, ...) with a replacement string containing a question mark, and is followed in the same scope by another rewrite, if, or set directive. Vulnerable config pattern: - rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last; + rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last; Root cause ---------- When the rewrite replacement contains '?', ngx_http_script_start_args_code sets e->is_args = 1 on the main script engine and never clears it. The subsequent ngx_http_script_complex_value_code recomputes the destination length using a freshly zeroed sub-engine, so ngx_http_script_copy_capture_len_code measures the capture as raw bytes. The actual copy then runs on the main engine, which still has is_args = 1, so ngx_http_script_copy_capture_code re-escapes the capture through ngx_escape_uri in NGX_ESCAPE_ARGS mode. Each '+', '%', or '&' byte in the capture expands by two bytes, but the destination was sized for the raw length. The write runs past the allocation. Requested action ---------------- Backport the upstream fix (present in 1.30.1 / 1.31.0) to the nginx packages in all supported Ubuntu releases (focal/ESM, jammy, noble, and any interim releases shipping an affected version), and publish via -security. Workaround (for the SRU description / USN, not a substitute for the fix) ------------------------------------------------------------------------ Replace unnamed PCRE captures with named captures in any rewrite directive whose replacement contains a '?' and which is followed by rewrite/if/set in the same scope: - rewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ - /profile.php?id=$user_id&tab=$section last; + rewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ + /profile.php?id=$user_id&tab=$section last; References ---------- - CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-42945 - F5 advisory: https://my.f5.com/manage/s/article/K000161019 - Writeup: https://depthfirst.com/nginx-rift ** Information type changed from Private Security to Public ** CVE added: https://cve.org/CVERecord?id=CVE-2026-42945 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2152577 Title: CVE-2026-42945: heap-based buffer overflow in ngx_http_rewrite_module (NGINX Rift) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/2152577/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
