CVE-2026-42945

DOCUMENTATION: A flaw was found in NGINX, specifically within the ngxhttprewrite_module. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests under specific rewrite configurations. This can lead to a heap buffer overflow in the NGINX worker process, which may result in arbitrary code execution if Address Space Layout Randomization (ASLR), a security technique to prevent exploitation, is disabled. Otherwise, this flaw causes a denial of service due to a restart of the NGINX worker process. 

            STATEMENT: Critical: This flaw in NGINX's ngxhttprewrite_module can lead to arbitrary code execution due to a heap buffer overflow if Address Space Layout Randomization (ASLR) is disabled, or a denial of service otherwise. Exploitation requires specific, non-default NGINX rewrite configurations involving unnamed PCRE captures and a question mark in the replacement string.