Articles in this section

NGINX Heap Overflow Vulnerability (CVE-2026-42945) via Rewrite Module – Mitigation and Fix

Krastyo Todorov
Updated

Applicable to:

  • SolusVM 1
  • SolusVM 2

Symptoms 

Systems running affected NGINX versions may show:

  • Unexpected NGINX worker process crashes and automatic restarts
  • Intermittent HTTP availability issues (Denial of Service symptoms)
  • Potential abnormal request patterns in access logs

Cause

Heap-based buffer overflow vulnerability (CVE-2026-42945) was disclosed in the NGINX rewrite module.

The issue affects NGINX versions from 0.6.27 through 1.30.0 and can be triggered by crafted HTTP requests.

The vulnerability can lead to:

  • NGINX worker process crash (Denial of Service)
  • Theoretical remote code execution (RCE), only if ASLR is disabled

Since ASLR is enabled by default on all Linux distributions supported by SolusVM1 and SolusVM2, the realistic impact is limited to Denial of Service: https://nvd.nist.gov/vuln/detail/CVE-2026-42945

The vulnerability requires all three of the following conditions in the NGINX configuration:

  • A rewrite directive with a ? in the replacement string
  • Usage of unnamed capture groups (e.g. $1, $2)
  • A subsequent rewrite, if, or set directive in the same scope

 

Resolution

SolusVM 2

Not affected.

SolusVM 2 runs NGINX inside a Docker container with a fixed configuration that:

  • Does not use rewrite directives
  • Cannot be modified manually
  • Is automatically replaced during updates

As a result, the vulnerable configuration pattern cannot be introduced.

SolusVM 1

Not affected in the default configuration.

The NGINX configuration shipped with SolusVM 1 does not include rewrite directives, therefore the vulnerability is not triggered.

SolusVM 1 installs NGINX directly on the host system, allowing administrators to modify configuration files. Custom rules may introduce the vulnerable pattern.

Determine if SolusVM 1 is affected

Check the NGINX configuration for rewrite directives:

grep -rn 'rewrite' /usr/local/svmstack/nginx/conf/

Interpretation:

  • No output → System is not affected
  • Output present → Review each rule carefully

Affected if the rewrite directive:

  • Contains ? in the replacement string
  • Uses numbered captures (e.g. $1)

Mitigation (if vulnerable rules are found)

  • Remove the affected rewrite directives, or
  • Rewrite them using named capture groups instead of numbered ones
# Vulnerable
rewrite ^/user/(.*)$ /index.php?id=$1&test=1 last;

# Safe (named capture)
rewrite ^/user/(?<id>.*)$ /index.php?id=$id&test=1 last;

Additional recommendations

  • Ensure ASLR remains enabled on the system
  • Keep NGINX updated to a fixed version (1.30.1+ or 1.31.0)
  • Monitor logs for repeated worker crashes

If no vulnerable rewrite rules are present, no action is required.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.