FORSMILE
JA
セキュリティ2026/07/16

[URGENT] NGINX CVE-2026-42533: Update to Fixed Version — Risk of Unauthenticated Remote Code Execution

A heap buffer overflow vulnerability, CVE-2026-42533, has been discovered in NGINX's `map` directive. This poses a risk of Denial of Service (DoS) and remote code execution, requiring an immediate update to the patched version.

Back to Blog

A critical vulnerability, CVE-2026-42533, has been discovered in NGINX, both the open-source version and its commercial counterpart, NGINX Plus. This vulnerability stems from a heap buffer overflow that occurs when the `map` directive uses regular expression matching, and a regex capture variable within `map` is referenced before a `map` output variable. An unauthenticated attacker sending a specially crafted HTTP request could lead to Denial of Service (DoS) by restarting worker processes, or potentially remote code execution in environments where ASLR (Address Space Layout Randomization) is disabled.

Immediate Actions Required

  • Update to the fixed version confirmed by official sources
  • Apply official workarounds until the update is performed
  • Check for signs of compromise

Vulnerability Overview and Scope

This vulnerability (CVE-2026-42533) is a heap buffer overflow present in NGINX's `map` directive and its regular expression matching process. If an attacker sends a specially crafted HTTP request under specific conditions, the NGINX worker process could crash, leading to a Denial of Service (DoS). Furthermore, in environments where ASLR protection is bypassed or disabled, this could escalate to arbitrary code execution.

⚠ CVE Score — 最高危険度 / CRITICAL
9.2CRITICALCVE-2026-42533

Affected versions include NGINX Open Source from version 0.9.6 to 1.31.2. Specific versions of NGINX Plus are also affected.

Specific Impact and Attack Scenarios

If this vulnerability is exploited, an unauthenticated remote attacker could send a specially crafted HTTP request to crash an NGINX worker process, thereby stopping the web service. Repeated attacks could lead to a persistent Denial of Service (DoS). Furthermore, under conditions where an attacker can disable or bypass ASLR, this heap buffer overflow could be exploited to execute arbitrary code on the target system, potentially leading to full server control. While active exploitation of this vulnerability has not been confirmed, the potential impact is extremely severe.

Remediation Steps and Verification

To address this vulnerability, please update immediately to one of the following fixed versions:

  • NGINX Open Source: stable-1.30.4 or mainline-1.31.3
  • NGINX Plus: the latest fixed version provided by the vendor (F5)

As a temporary workaround, when using regular expression captures in the `map` directive, avoid using unnamed captures and ensure that named captures are used within the same block as the regular expression matching.

nginx
# 脆弱な設定例 (unnamed captures using regex capture variables before map output variable)
# map $uri $key { ~/(?P<name>.*)/ $name; }
#
# 回避策 (use named captures only within the same block)
map $uri $key {
    ~/(?P<name>.*)/ $name;
}

server {
    listen 80;
    location / {
        # $key を使用する際は、map ディレクティブと同じブロック内で利用する
        # 例: add_header X-Key $key;
    }
}
📦
Amazon で関連書籍・ツールを検索
cybersecurity server security tools
Amazonで探す →(アソシエイトリンク)

References and Official Patch Information

Related articles