Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
NGINX Software Can Crash or Be Hacked with Malicious Requests
ALPINE-CVE-2026-42945
Summary
NGINX software has a weakness that can be exploited by sending specially crafted HTTP requests. This could cause the software to crash or, in some cases, allow an attacker to take control of the system. If you're using NGINX, update to the latest version to ensure you have the fix.
What to do
- Update nginx to version 1.28.3-r1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Alpine:v3.22 | – | nginx |
< 1.28.3-r1 Fix: upgrade to 1.28.3-r1
|
| Alpine:v3.23 | – | nginx |
< 1.28.3-r1 Fix: upgrade to 1.28.3-r1
|
Original title
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and ...
Original description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
osv CVSS4.0
9.4
- https://security.alpinelinux.org/vuln/CVE-2026-42945 Vendor Advisory
Published: 13 May 2026 · Updated: 22 May 2026 · First seen: 14 May 2026