{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nginx-plus/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-42945"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NGINX Plus","NGINX Open Source"],"_cs_severities":["high"],"_cs_tags":["cve","CVE-2026-42945","nginx","heap overflow","denial of service","webserver"],"_cs_type":"threat","_cs_vendors":["NGINX"],"content_html":"\u003cp\u003eNGINX Plus and NGINX Open Source are susceptible to a heap buffer overflow vulnerability (CVE-2026-42945) within the \u003ccode\u003engx_http_rewrite_module\u003c/code\u003e. This flaw arises when the \u003ccode\u003erewrite\u003c/code\u003e directive is used in conjunction with a subsequent \u003ccode\u003erewrite\u003c/code\u003e, \u003ccode\u003eif\u003c/code\u003e, or \u003ccode\u003eset\u003c/code\u003e directive, and an unnamed Perl-Compatible Regular Expression (PCRE) capture (e.g., \u003ccode\u003e$1\u003c/code\u003e, \u003ccode\u003e$2\u003c/code\u003e) includes a question mark (\u003ccode\u003e?\u003c/code\u003e) within its replacement string. An unauthenticated attacker, by sending specially crafted HTTP requests, can exploit this condition. Successful exploitation can lead to a heap buffer overflow in the NGINX worker process, resulting in a restart and potential denial of service. On systems where Address Space Layout Randomization (ASLR) is disabled, successful exploitation may lead to arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a vulnerable NGINX server. This request is designed to trigger the flawed rewrite logic.\u003c/li\u003e\n\u003cli\u003eThe request contains a specific URI or header that will be processed by the \u003ccode\u003engx_http_rewrite_module\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe NGINX configuration utilizes the \u003ccode\u003erewrite\u003c/code\u003e directive followed by either \u003ccode\u003erewrite\u003c/code\u003e, \u003ccode\u003eif\u003c/code\u003e, or \u003ccode\u003eset\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erewrite\u003c/code\u003e directive uses an unnamed PCRE capture (e.g., $1, $2) with a replacement string.\u003c/li\u003e\n\u003cli\u003eThe replacement string within the PCRE capture includes a question mark (\u003ccode\u003e?\u003c/code\u003e). This is a crucial component of the exploit.\u003c/li\u003e\n\u003cli\u003eWhen the NGINX worker processes the crafted request and applies the rewrite rules, the question mark within the PCRE capture\u0026rsquo;s replacement string causes a heap buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe heap buffer overflow corrupts memory within the NGINX worker process.\u003c/li\u003e\n\u003cli\u003eThe corruption leads to a crash of the NGINX worker process, causing a restart and potential denial of service. On systems with ASLR disabled, the attacker might achieve code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42945 can lead to a denial-of-service condition, as the NGINX worker process crashes and restarts. This can disrupt web services and applications served by the affected NGINX instance. In scenarios where ASLR is disabled, the attacker could potentially achieve arbitrary code execution on the server, leading to complete system compromise. The number of affected systems depends on the prevalence of vulnerable NGINX configurations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the official patch or upgrade to a version of NGINX Plus or NGINX Open Source that addresses CVE-2026-42945.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect exploitation attempts targeting CVE-2026-42945 in your NGINX webserver logs.\u003c/li\u003e\n\u003cli\u003eEnable Address Space Layout Randomization (ASLR) on systems running NGINX to mitigate potential code execution following a heap overflow.\u003c/li\u003e\n\u003cli\u003eReview NGINX configurations for instances of the \u003ccode\u003erewrite\u003c/code\u003e directive used in conjunction with \u003ccode\u003erewrite\u003c/code\u003e, \u003ccode\u003eif\u003c/code\u003e, or \u003ccode\u003eset\u003c/code\u003e and unnamed PCRE captures containing question marks (\u003ccode\u003e?\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:26:37Z","date_published":"2026-05-13T16:26:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nginx-heap-overflow/","summary":"NGINX Plus and NGINX Open Source are vulnerable to a heap buffer overflow (CVE-2026-42945) due to crafted HTTP requests when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed PCRE capture with a replacement string that includes a question mark, potentially leading to denial of service or code execution.","title":"CVE-2026-42945: NGINX ngx_http_rewrite_module Heap Buffer Overflow","url":"https://feed.craftedsignal.io/briefs/2026-05-nginx-heap-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — NGINX Plus","version":"https://jsonfeed.org/version/1.1"}