CVE status
Maxim Dounin
mdounin at mdounin.ru
Fri May 15 00:07:42 UTC 2026
Hello!
On Thu, May 14, 2026 at 02:15:35PM -0700, bayberry.uninspired694 at aceecat.org wrote:
> Hi,
>
> does CVE-2026-42945 apply to freenginx? And if yes, will there be a point
> release to fix it?
>
> Here's the reference:
>
> https://nvd.nist.gov/vuln/detail/CVE-2026-42945
It does apply.
Note though that triggering this bug requires rather specific
configuration (a matched "rewrite" which changes request arguments
but continues rewrite processing, that is, without "break" or any
other flags, followed by a "set" or "if" which uses positional
captures or another matched rewrite which uses positional captures and
additional variables or duplicate positional captures), and
therefore most configurations won't be affected at all. As a
reference point, none of the examples provided in the rewrite
documentation are affected.
I'm currently looking into this, as well as other issues published
by F5, and will provide appropriate patches shortly. Once patches
are ready, there will be a release.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list