CVE-2026-42533 Heap Buffer Overflow in NGINX Map Directive
A heap buffer overflow vulnerability, CVE-2026-42533, exists in NGINX Plus and NGINX Open Source when a 'map' directive uses regex matching and references its capture variables before the map's output variable or uses a non-cacheable variable under certain conditions, allowing an unauthenticated attacker to send crafted HTTP requests causing denial-of-service or remote code execution.
What's new
- l1 merged source coverage: Vulnerability in NGINX ngx_http_slice_module allows memory disclosure or process restart Jul 15, 16:18 via nvd
A significant vulnerability, identified as CVE-2026-42533, has been discovered in NGINX Plus and NGINX Open Source versions. This heap buffer overflow vulnerability manifests when an NGINX configuration includes a map directive that uses regex matching, and within that directive, regex capture variables are referenced before the map's output variable. Alternatively, the same issue can occur if a non-cacheable variable is used within a string expression under specific conditions. An unauthenticated remote attacker can exploit this flaw by sending specially crafted HTTP requests to the vulnerable NGINX instance. Successful exploitation can lead to a denial-of-service (DoS) condition due to the NGINX worker process restarting. Furthermore, remote code execution (RCE) is possible if Address Space Layout Randomization (ASLR) is disabled or if the attacker can bypass ASLR. This vulnerability primarily affects the data plane of NGINX, with no control plane exposure.
Attack Chain
- An unauthenticated attacker identifies a target NGINX Plus or NGINX Open Source instance that is potentially configured with a vulnerable
mapdirective. - The attacker crafts a malicious HTTP request specifically designed to interact with the regex matching logic of a
mapdirective configured under the identified vulnerable conditions. - The crafted request exploits the condition where the
mapdirective references regex capture variables before its output variable or uses a non-cacheable variable in a string expression. - NGINX processes the specially formed HTTP request, which triggers the vulnerable code path within the
mapdirective's execution flow. - During this processing, a heap buffer overflow occurs within the targeted NGINX worker process.
- The heap buffer overflow causes the NGINX worker process to crash and restart, leading to a denial-of-service for legitimate users.
- If Address Space Layout Randomization (ASLR) is disabled on the target system or if the attacker possesses a method to bypass ASLR, the attacker leverages the buffer overflow to gain arbitrary code execution.
- The attacker successfully executes arbitrary code on the NGINX server, potentially leading to full system compromise or further malicious activities.
Impact
This vulnerability poses a significant risk of denial-of-service (DoS) to affected NGINX systems, as successful exploitation causes worker processes to crash and restart, disrupting service availability. For systems where Address Space Layout Randomization (ASLR) is disabled or successfully bypassed by an attacker, the heap buffer overflow can be leveraged to achieve remote code execution (RCE). This would allow an unauthenticated remote attacker to execute arbitrary code on the NGINX server, potentially leading to complete compromise of the server, data exfiltration, or further lateral movement within the victim's network. The issue is confined to the data plane, meaning the NGINX control plane itself is not directly exposed.
Recommendation
- Patch CVE-2026-42533 by updating NGINX Plus and NGINX Open Source to the latest secure versions as soon as they become available from the vendor.
- Review existing NGINX configurations for the presence of
mapdirectives that use regex matching and might be susceptible to the conditions described in CVE-2026-42533. - Ensure NGINX access and error logs (logsource category
webserver) are configured for comprehensive logging and are ingested into your SIEM for analysis of anomalous behavior or crash indicators.