CVE-2026-42945

HIGH · 8.1

hype LIKELY HACK · 72 hack

Working PoC public, vendors patching urgently, credible signal but marketing hyperbole inflates severity claims.

What: Heap buffer overflow in NGINX's ngx_http_rewrite_module triggered by crafted HTTP requests combining rewrite directives with unnamed PCRE captures and question marks in replacement strings. Affects NGINX Plus and Open Source; CVSS 8.1 (HIGH). RCE possible on systems without ASLR.

Why it matters: Public PoC disclosed on GitHub within 24 hours of CVE publication. Social chatter references working exploit code and urgent patching (versions 1.30.1, 1.31.0). Not yet KEV-listed but high engagement across security communities and active vendor response signaling. 18-year-old dormant flaw now weaponized.

Where it's seen: Security news outlets (The Hacker News, SecurityOnline) headline "RCE" and "critical"; threat intelligence accounts drop PoC links; defenders discussing patch timelines and config detection; marketers amplifying with "hijack one-third of internet" framing.

RISK: HIGH — Public PoC, RCE vector, widespread NGINX deployment, no KEV-listing yet but urgent patching underway.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/14/2026, 8:44:35 AM

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS 3.1 breakdown

Exploitability 2.2 · Impact 5.9

vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack vector: Network
Complexity: High
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Weaknesses

CWE-122

References

Other · 1

https://my.f5.com/manage/s/article/K000161019