"NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?)."
"An unauthenticated attacker, along with conditions beyond its control, can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process, leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible."
"The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a denial-of-service (DoS) with crafted requests. It has been codenamed NGINX Rift."
NGINX Plus and NGINX Open Source contain a vulnerability in the ngx_http_rewrite_module module. The flaw is triggered when a rewrite directive is followed by rewrite, if, or set directives and an unnamed PCRE capture such as $1 or $2, with a replacement string that includes a question mark. An unauthenticated attacker can send crafted HTTP requests to cause a heap buffer overflow in an NGINX worker process, which may lead to a restart. If ASLR is disabled, the vulnerability may also allow code execution. The issue was assigned CVE-2026-42945 with a CVSS v4 score of 9.2 and has been fixed in multiple NGINX Plus and NGINX Open Source versions, with some older Open Source ranges having no planned fixes.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]