CVE-2026-42945 is a critical heap buffer overflow vulnerability in the ngx_http_rewrite_module of NGINX, introduced in 2008 and patched in May 2026. It occurs due to a two-pass process in the rewrite script engine where an unpropagated flag causes undersized buffer allocation when rewrite replacements contain a question mark. This leads to attacker-controlled escaped URI data overflowing the heap buffer. The overflow can cause a denial-of-service condition by triggering a restart. Remote code execution is possible if Address Space Layout Randomization (ASLR) is disabled, through sophisticated heap feng shui techniques that corrupt memory pool cleanup pointers to invoke system commands. The vulnerability affects NGINX servers using rewrite and set directives. Official patches have been released by F5 for NGINX Plus versions 37.0.0, R36 P4, R32 P6, and open source versions 1.31.0 and 1.30.1.

The vulnerability can cause denial-of-service by crashing or restarting the NGINX server. Additionally, remote code execution is possible if ASLR is disabled on the target system, allowing an attacker to execute arbitrary commands remotely. This elevates the risk significantly on systems without ASLR or with ASLR disabled. No known active exploitation in the wild has been reported at this time.

Official patches addressing this vulnerability have been released by F5 for both NGINX Plus and open source versions. Users should apply the latest patches immediately to remediate the issue. If patching is not immediately possible, ensure ASLR is enabled on the host system to mitigate the risk of remote code execution. Monitor vendor advisories for any additional guidance.