Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN545 _____________________________________________________________________ DATE : 27/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running NGINX Plus, NGINX Open Source. ===================================================================== https://my.f5.com/manage/s/article/K000161019 _____________________________________________________________________ K000161019: NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945 Published Date: May 13, 2026Updated Date: May 21, 2026 Security Advisory Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. (CVE-2026-42945) Impact This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only. Security Advisory Status F5 Product Development has assigned ID 149 (NGINX Plus and NGINX OSS) to this vulnerability. This issue has been classified as CWE-122: Heap-based Buffer Overflow. To determine if your product and version have been evaluated for this vulnerability, refer to the Evaluated products box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following tables. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. In this section BIG-IP Next BIG-IP and BIG-IQ F5 Distributed Cloud and NGINX Services F5OS NGINX Other products BIG-IP Next Product Branch Versions known to be vulnerable1 Fixes introduced in Severity/CVSS score Vulnerable component or feature BIG-IP Next SPK All None Not applicable Not vulnerable None BIG-IP Next CNF All None Not applicable Not vulnerable None BIG-IP Next for Kubernetes All None Not applicable Not vulnerable None 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. BIG-IP and BIG-IQ Product Branch Versions known to be vulnerable1 Fixes introduced in Severity/CVSS score Vulnerable component or feature BIG-IP (all modules) All None Not applicable Not vulnerable None BIG-IQ Centralized Management All None Not applicable Not vulnerable None 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. F5 Distributed Cloud and NGINX Services Service Severity/CVSS score Vulnerable component or feature F5 Distributed Cloud (all services) Not vulnerable None F5 Silverline (all services) Not vulnerable None NGINX One Console Not vulnerable None F5OS Product Branch Versions known to be vulnerable1 Fixes introduced in Severity/CVSS score Vulnerable component or feature F5OS-A All None Not applicable Not vulnerable None F5OS-C All None Not applicable Not vulnerable None 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. NGINX Product Branch Versions known to be vulnerable1 Fixes introduced in Severity/CVSS score2 Vulnerable component or feature NGINX Plus 37.x None 37.0.0 Rx R32 - R36 R36 P4 R32 P6 High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) The ngx_http_rewrite_module module NGINX Open Source 1.x 1.0.0 - 1.30.0 1.31.0 1.30.1 0.x 0.6.27 - 0.9.7 Will not fix High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) The ngx_http_rewrite_module module NGINX Instance Manager 2.x 2.16.0 - 2.22.0 None High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) Base NGINX Open Source software components F5 WAF for NGINX 5.x 5.9.0 - 5.12.1 5.13.0 High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) Base NGINX Plus software components NGINX App Protect WAF 5.x 5.1.0 - 5.8.0 None 4.x 4.9.0 - 4.16.0 None High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) Base NGINX Plus software components F5 DoS for NGINX 4.x 4.8.0 4.9.0 High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) Base NGINX Plus software components NGINX App Protect DoS 4.x 4.3.0 - 4.7.0 None High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) Base NGINX Plus software components NGINX Gateway Fabric 2.x 2.0.0 - 2.6.0 None 1.x 1.3.0 - 1.6.2 None High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) Base NGINX Plus or NGINX Open Source software components NGINX Ingress Controller 5.x 5.0.0 - 5.4.2 None 4.x 4.0.0 - 4.0.1 None 3.x 3.5.0 - 3.7.2 None High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) Base NGINX Plus or NGINX Open Source software components NGINX (all other products) All None Not applicable Not vulnerable None 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. 2Starting with the August 2024 Quarterly Security Notification, F5 will provide the CVSS v4.0 base score in addition to the CVSS v3.1 score, for first-party security issues only. The CVSS score link takes you to a resource outside of MyF5, and the content may be removed without our knowledge. For more information about how F5 uses CVSS v4.0, refer to K000140363: Overview of CVSS v4.0 in F5 security advisories. Other products Product Branch Versions known to be vulnerable1 Fixes introduced in Severity/CVSS score Vulnerable component or feature Traffix SDC All None Not applicable Not vulnerable None F5 AI Gateway All None Not applicable Not vulnerable None 1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the Fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends that you upgrade to a version with the fix (refer to the tables). If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix. Mitigation To mitigate this vulnerability, use named captures instead of unnamed captures in rewrite definitions. For example, the following rewrite directive uses unnamed PCRE capture groups, $1 and $2: rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last; To mitigate this vulnerability for this example, replace $1 and $2 with the appropriate named captures, $user_id and $section: rewrite ^/users/(?[0-9]+)/profile/(?
.*)$ /profile.php?id=$user_id&tab=$section last; Acknowledgments F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure. Related Content K41942608: Overview of MyF5 security advisory articles K12201527: Overview of Quarterly Security Notifications K51812227: Understanding security advisory versioning K4602: Overview of the F5 security vulnerability response policy K4918: Overview of the F5 critical issue hotfix policy K39757430: F5 product and services lifecycle policy index K000090258: Download F5 products from MyF5 K9970: Subscribe to email notifications regarding F5 products and security announcements K9957: Creating a custom RSS feed to view new and updated documents NGINX Glossary: What is a Control Plane? NGINX Glossary: What is a Data Plane? K000135931: Contact F5 Support ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================