CVE status
Maxim Dounin
mdounin at mdounin.ru
Fri May 15 03:44:06 UTC 2026
Hello!
On Fri, May 15, 2026 at 12:38:09AM +0000, Thomas Ward via nginx wrote:
> FYI Maxim the fix for the buffer overrun in rewrite is a one line patch.
Sure, except it might not be the best solution. Based on my
analysis I tend to prefer at least three lines.
Also, I see at least one additional case of obviously incorrect
escaping applied by the related rewrite code, though without a
buffer overrun.
>
>
>
> Sent from my Galaxy
>
>
>
> -------- Original message --------
> From: Maxim Dounin <mdounin at mdounin.ru>
> Date: 5/14/26 20:09 (GMT-05:00)
> To: nginx at freenginx.org
> Subject: Re: CVE status
>
> Hello!
>
> On Thu, May 14, 2026 at 02:15:35PM -0700, bayberry.uninspired694 at aceecat.org wrote:
>
> > Hi,
> >
> > does CVE-2026-42945 apply to freenginx? And if yes, will there be a point
> > release to fix it?
> >
> > Here's the reference:
> >
> > https://nvd.nist.gov/vuln/detail/CVE-2026-42945
>
> It does apply.
>
> Note though that triggering this bug requires rather specific
> configuration (a matched "rewrite" which changes request arguments
> but continues rewrite processing, that is, without "break" or any
> other flags, followed by a "set" or "if" which uses positional
> captures or another matched rewrite which uses positional captures and
> additional variables or duplicate positional captures), and
> therefore most configurations won't be affected at all. As a
> reference point, none of the examples provided in the rewrite
> documentation are affected.
>
> I'm currently looking into this, as well as other issues published
> by F5, and will provide appropriate patches shortly. Once patches
> are ready, there will be a release.
>
> --
> Maxim Dounin
> http://mdounin.ru/
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list