{
  "threat_severity" : "Critical",
  "public_date" : "2026-05-13T14:12:43Z",
  "bugzilla" : {
    "description" : "nginx: NGINX: Arbitrary Code Execution Vulnerability",
    "id" : "2477116",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2477116"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-131",
  "details" : [ "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "A flaw was found in NGINX, specifically within the ngx_http_rewrite_module. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests under specific rewrite configurations. This can lead to a heap buffer overflow in the NGINX worker process, which may result in arbitrary code execution if Address Space Layout Randomization (ASLR), a security technique to prevent exploitation, is disabled. Otherwise, this flaw causes a denial of service due to a restart of the NGINX worker process." ],
  "statement" : "Critical: This flaw in NGINX's ngx_http_rewrite_module can lead to arbitrary code execution due to a heap buffer overflow if Address Space Layout Randomization (ASLR) is disabled, or a denial of service otherwise. Exploitation requires specific, non-default NGINX rewrite configurations involving unnamed PCRE captures and a question mark in the replacement string.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18063",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "nginx-2:1.26.3-2.el10_1.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19159",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "nginx-2:1.26.3-6.el10_2.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-05-15T00:00:00Z",
    "advisory" : "RHSA-2026:17790",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "nginx-2:1.26.3-1.el10_0.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18041",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nginx:1.24-8100020260514165201.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18029",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nginx-2:1.20.1-24.el9_7.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19371",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nginx:1.24-9080020260514160836.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19372",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nginx:1.26-9080020260514152324.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19374",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nginx-2:1.20.1-28.el9_8.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-05-15T00:00:00Z",
    "advisory" : "RHSA-2026:17791",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "nginx-1:1.20.1-10.el9_0.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-05-15T00:00:00Z",
    "advisory" : "RHSA-2026:17751",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "nginx-1:1.20.1-14.el9_2.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-05-15T00:00:00Z",
    "advisory" : "RHSA-2026:17792",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "nginx-1:1.20.1-16.el9_4.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-05-15T00:00:00Z",
    "advisory" : "RHSA-2026:17793",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "nginx:1.24-9040020260514192210.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-05-15T00:00:00Z",
    "advisory" : "RHSA-2026:17752",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "nginx:1.24-9060020260514175739.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-05-15T00:00:00Z",
    "advisory" : "RHSA-2026:17753",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "nginx:1.26-9060020260514170123.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-05-15T00:00:00Z",
    "advisory" : "RHSA-2026:17794",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "nginx-2:1.20.1-22.el9_6.6"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17417",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nginx-main-1.30.1-1.hum1"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.14",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22396",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.14::el9",
    "package" : "odf4/ocs-client-console-rhel9:1779972138"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.14",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22396",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.14::el9",
    "package" : "odf4/odf-console-rhel9:1779972283"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.14",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22396",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.14::el9",
    "package" : "odf4/odf-multicluster-console-rhel9:1779972179"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.15",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22393",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9",
    "package" : "odf4/ocs-client-console-rhel9:1779967811"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.15",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22393",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9",
    "package" : "odf4/odf-console-rhel9:1779967813"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.15",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22393",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9",
    "package" : "odf4/odf-multicluster-console-rhel9:1779968303"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.16",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22394",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.16::el9",
    "package" : "odf4/ocs-client-console-rhel9:1779959318"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.16",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22394",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.16::el9",
    "package" : "odf4/odf-console-rhel9:1779959527"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.16",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22394",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.16::el9",
    "package" : "odf4/odf-multicluster-console-rhel9:1779959592"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.17",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22390",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.17::el9",
    "package" : "odf4/ocs-client-console-rhel9:1779952245"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.17",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22390",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.17::el9",
    "package" : "odf4/odf-console-rhel9:1779952279"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.17",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22390",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.17::el9",
    "package" : "odf4/odf-multicluster-console-rhel9:1779952463"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.18",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22388",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.18::el9",
    "package" : "odf4/ocs-client-console-rhel9:1779881302"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.18",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22388",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.18::el9",
    "package" : "odf4/odf-console-rhel9:1779881608"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.18",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22388",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.18::el9",
    "package" : "odf4/odf-multicluster-console-rhel9:1779881122"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.19",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22389",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9",
    "package" : "odf4/ocs-client-console-rhel9:1779881012"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.19",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22389",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9",
    "package" : "odf4/odf-console-rhel9:1779881008"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.19",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22389",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.19::el9",
    "package" : "odf4/odf-multicluster-console-rhel9:1779881332"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.2",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22383",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9",
    "package" : "odf4/ocs-client-console-rhel9:1779879463"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.2",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22383",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9",
    "package" : "odf4/odf-console-rhel9:1779877770"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.2",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22383",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9",
    "package" : "odf4/odf-multicluster-console-rhel9:1779881377"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.21",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22382",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.21::el9",
    "package" : "odf4/ocs-client-console-rhel9:1779946521"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.21",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22382",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.21::el9",
    "package" : "odf4/odf-console-rhel9:1779946525"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4.21",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22382",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.21::el9",
    "package" : "odf4/odf-multicluster-console-rhel9:1779946691"
  }, {
    "product_name" : "Red Hat Satellite 6.18",
    "release_date" : "2026-05-25T00:00:00Z",
    "advisory" : "RHSA-2026:20442",
    "cpe" : "cpe:/a:redhat:satellite:6.18::el9",
    "package" : "satellite/iop-gateway-rhel9:1779706745"
  }, {
    "product_name" : "Red Hat Satellite 6.19",
    "release_date" : "2026-05-25T00:00:00Z",
    "advisory" : "RHSA-2026:20444",
    "cpe" : "cpe:/a:redhat:satellite:6.19::el9",
    "package" : "satellite/iop-gateway-rhel9:1779706797"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-05-27T00:00:00Z",
    "advisory" : "RHSA-2026:21275",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/cds-rhel9:1779798159"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-05-27T00:00:00Z",
    "advisory" : "RHSA-2026:21275",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/rhua-rhel9:1779798222"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Affected",
    "package_name" : "3scale-amp2/apicast-gateway-rhel8",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Lightspeed proxy 1",
    "fix_state" : "Affected",
    "package_name" : "insights-proxy/insights-proxy-container-rhel9",
    "cpe" : "cpe:/a:redhat:insights_proxy:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42945\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42945\nhttps://depthfirst.com/nginx-rift\nhttps://my.f5.com/manage/s/article/K000161019" ],
  "csaw" : true,
  "name" : "CVE-2026-42945"
}