VDB
RHSA-2026%3A19372
RHSA-2026%3A19372
PUBLISHED
CVSS 8.100000381469727 HIGH
A flaw was found in NGINX, specifically within the ngx_http_rewrite_module. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests under specific rewrite configurations. This can lead to a heap buffer overflow in the NGINX worker process, which may result in arbitrary code execution if Address Space Layout Randomization (ASLR), a security technique to prevent exploitation, is disabled. Otherwise, this flaw causes a denial of service due to a restart of the NGINX worker process.
Risk Scores
CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | nginx-mod-devel-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.aarch64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.aarch64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-debugsource-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.ppc64le (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-stream-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.s390x (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-mail-debuginfo-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.ppc64le (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-http-image-filter-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.s390x (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-http-perl-debuginfo-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.s390x (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-core-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.s390x (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-http-image-filter-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.x86_64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-mail-debuginfo-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.aarch64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-debuginfo-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.ppc64le (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-debugsource-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.x86_64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-core-debuginfo-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.aarch64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-debugsource-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.aarch64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-http-xslt-filter-debuginfo-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.aarch64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-stream-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.aarch64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-mail-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.aarch64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-http-xslt-filter-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.aarch64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-mail-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.x86_64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
| Red Hat | nginx-mod-stream-debuginfo-2:1.26.3-9.module+el9.8.0+24288+e2e6d896.x86_64 (nginx:1.26) as a component of Red Hat Enterprise Linux AppStream (v. 9) | 1.26.3-9.module |
…and 47 more
Timeline
- May 19, 2026 CVE Published
- Jun 23, 2026 CVE Updated
- Jun 23, 2026 Distribution Patch
- Jun 23, 2026 Distribution Patch
- Jun 23, 2026 Security Advisory
- Jun 23, 2026 Security Advisory
References
- https://access.redhat.com/errata/RHSA-2026:19372 advisory
- https://access.redhat.com/security/updates/classification/#critical advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2477116 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19372.json advisory
- https://access.redhat.com/security/cve/CVE-2026-42945 advisory
- https://www.cve.org/CVERecord?id=CVE-2026-42945 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-42945 advisory
- https://depthfirst.com/nginx-rift advisory
- https://my.f5.com/manage/s/article/K000161019 advisory