NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:17751 https://access.redhat.com/errata/RHSA-2026:17751
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:17752 https://access.redhat.com/errata/RHSA-2026:17752
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:17753 https://access.redhat.com/errata/RHSA-2026:17753
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:17791 https://access.redhat.com/errata/RHSA-2026:17791
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:17790 https://access.redhat.com/errata/RHSA-2026:17790
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:17793 https://access.redhat.com/errata/RHSA-2026:17793
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:17794 https://access.redhat.com/errata/RHSA-2026:17794
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:17792 https://access.redhat.com/errata/RHSA-2026:17792
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:18041 https://access.redhat.com/errata/RHSA-2026:18041
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:18063 https://access.redhat.com/errata/RHSA-2026:18063
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:18029 https://access.redhat.com/errata/RHSA-2026:18029
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:19159 https://access.redhat.com/errata/RHSA-2026:19159
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:19374 https://access.redhat.com/errata/RHSA-2026:19374
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:19371 https://access.redhat.com/errata/RHSA-2026:19371
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:19372 https://access.redhat.com/errata/RHSA-2026:19372