EGI SVG Advisories

Advisory-EGI-SVG-2026-16

HIGH risk nginx vulnerability

Date: 2026-05-14

Updated: 2026-05-21

DESCRIPTION

HIGH risk vulnerability concerning “nginx” module “ngx_http_rewrite_module”
used by many webservices. It is extensively described at [R 1] [R 2].

IDs AND CVSS SCORE

EGI SVG ID : EGI-SVG-2026-16

CVE ID : CVE-2026-42945

CVSSv3 Score:

ACTIONS REQUIRED/RECOMMENDED

Sites are strongly recommended to patch their nginx instances
as soon as possible. At the time of writing, patches are only
available for very few distributions. AlmaLinux has patches.
Please consult the references listed below for your distribution(s).
For mitigation options, see [R 1] under:

"Temporary mitigation: rewrite your rewrites" 

MORE INFORMATION

Compared to the CVSS critical risk assessment detailed in [R 2],
EGI SVG judges the risk to be high, because of the complexity of
pulling off an actual exploit instead of a DoS (see [R 1]).
However, if an actual exploit gets published, the risk will become critical.
Therefore, please patch your instances as soon as possible!

STATUS OF THIS ADVISORY

TLP:CLEAR information - Unlimited distribution

https://advisories.egi.eu/Advisory-EGI-SVG-2026-16

https://advisories.egi.eu/Advisory-SVG-42945

Minor updates may be made without re-distribution to the sites.

CONTACT AND OTHER INFORMATION ON SVG


This advisory is subject to the Creative Commons licence 
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group 
must be credited. -----------------------------

Comments or questions should be sent to

svg-rat at mailman.egi.eu

Vulnerabilities relevant for EGI can be reported at

report-vulnerability at egi.eu

(see [R 99] for further details, and other information on SVG)

REFERENCES

CREDITS

SVG was alerted to this vulnerability by the EGI CSIRT