A critical vulnerability, CVE-2026-42533, has been discovered in NGINX, both the open-source version and its commercial counterpart, NGINX Plus. This vulnerability stems from a heap buffer overflow that occurs when the `map` directive uses regular expression matching, and a regex capture variable within `map` is referenced before a `map` output variable. An unauthenticated attacker sending a specially crafted HTTP request could lead to Denial of Service (DoS) by restarting worker processes, or potentially remote code execution in environments where ASLR (Address Space Layout Randomization) is disabled.
Immediate Actions Required
- ✓Update to the fixed version confirmed by official sources
- ✓Apply official workarounds until the update is performed
- ✓Check for signs of compromise
Vulnerability Overview and Scope
This vulnerability (CVE-2026-42533) is a heap buffer overflow present in NGINX's `map` directive and its regular expression matching process. If an attacker sends a specially crafted HTTP request under specific conditions, the NGINX worker process could crash, leading to a Denial of Service (DoS). Furthermore, in environments where ASLR protection is bypassed or disabled, this could escalate to arbitrary code execution.
Affected versions include NGINX Open Source from version 0.9.6 to 1.31.2. Specific versions of NGINX Plus are also affected.
Specific Impact and Attack Scenarios
If this vulnerability is exploited, an unauthenticated remote attacker could send a specially crafted HTTP request to crash an NGINX worker process, thereby stopping the web service. Repeated attacks could lead to a persistent Denial of Service (DoS). Furthermore, under conditions where an attacker can disable or bypass ASLR, this heap buffer overflow could be exploited to execute arbitrary code on the target system, potentially leading to full server control. While active exploitation of this vulnerability has not been confirmed, the potential impact is extremely severe.
Remediation Steps and Verification
To address this vulnerability, please update immediately to one of the following fixed versions:
- ✓NGINX Open Source: stable-1.30.4 or mainline-1.31.3
- ✓NGINX Plus: the latest fixed version provided by the vendor (F5)
As a temporary workaround, when using regular expression captures in the `map` directive, avoid using unnamed captures and ensure that named captures are used within the same block as the regular expression matching.
# 脆弱な設定例 (unnamed captures using regex capture variables before map output variable)
# map $uri $key { ~/(?P<name>.*)/ $name; }
#
# 回避策 (use named captures only within the same block)
map $uri $key {
~/(?P<name>.*)/ $name;
}
server {
listen 80;
location / {
# $key を使用する際は、map ディレクティブと同じブロック内で利用する
# 例: add_header X-Key $key;
}
}