NGINX Rewrite Module Heap Buffer Overflow Vulnerability Exposes Servers to Crash or Code Execution

A critical vulnerability in NGINX's rewrite module enables unauthenticated attackers to trigger heap buffer overflow conditions through specially crafted HTTP requests. The flaw, tracked as CVE-2026-42945, affects both NGINX Plus and NGINX Open Source installations. Under specific configuration conditions, the ngx_http_rewrite_module fails to properly sanitize input when processing unnamed Perl-Compatible Regular Expression (PCRE) captures containing question marks in replacement strings. The vulnerability may cause the NGINX worker process to crash, forcing a restart and creating a denial-of-service vector.

The exploitation path requires a precise sequence: a rewrite directive must be followed by another rewrite, if, or set directive, with an unnamed PCRE capture like $1 or $2 using a replacement string that includes a question mark character. F5 Networks, which maintains the NGINX software, has published technical disclosure details. Security researchers note that for systems where Address Space Layout Randomization (ASLR) is disabled, successful exploitation could potentially escalate beyond process crashes to arbitrary code execution.

OpenResty, the web platform extending NGINX with Lua scripting capabilities, has already committed patches addressing this flaw to their public repository, though a formal version release has not yet been issued. Organizations running NGINX with rewrite rules in their configuration should monitor vendor advisories and apply patches as they become available. The absence of a complete patch release from NGINX proper leaves production environments exposed to targeted exploitation attempts.