{"schema_version":"1.7.2","id":"OESA-2026-2406","modified":"2026-05-22T13:18:54Z","published":"2026-05-22T13:18:54Z","upstream":["CVE-2026-42945"],"summary":"nginx security update","details":"NGINX is a free, open-source, high-performance HTTP server and reverse proxy,  as well as an IMAP/POP3 proxy server.\r\n\r\nSecurity Fix(es):\n\nNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.(CVE-2026-42945)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"nginx","purl":"pkg:rpm/openEuler/nginx&distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.21.5-13.oe2203sp4"}]}],"ecosystem_specific":{"aarch64":["nginx-1.21.5-13.oe2203sp4.aarch64.rpm","nginx-debuginfo-1.21.5-13.oe2203sp4.aarch64.rpm","nginx-debugsource-1.21.5-13.oe2203sp4.aarch64.rpm","nginx-mod-devel-1.21.5-13.oe2203sp4.aarch64.rpm","nginx-mod-http-image-filter-1.21.5-13.oe2203sp4.aarch64.rpm","nginx-mod-http-perl-1.21.5-13.oe2203sp4.aarch64.rpm","nginx-mod-http-xslt-filter-1.21.5-13.oe2203sp4.aarch64.rpm","nginx-mod-mail-1.21.5-13.oe2203sp4.aarch64.rpm","nginx-mod-stream-1.21.5-13.oe2203sp4.aarch64.rpm"],"noarch":["nginx-all-modules-1.21.5-13.oe2203sp4.noarch.rpm","nginx-filesystem-1.21.5-13.oe2203sp4.noarch.rpm","nginx-help-1.21.5-13.oe2203sp4.noarch.rpm"],"src":["nginx-1.21.5-13.oe2203sp4.src.rpm"],"x86_64":["nginx-1.21.5-13.oe2203sp4.x86_64.rpm","nginx-debuginfo-1.21.5-13.oe2203sp4.x86_64.rpm","nginx-debugsource-1.21.5-13.oe2203sp4.x86_64.rpm","nginx-mod-devel-1.21.5-13.oe2203sp4.x86_64.rpm","nginx-mod-http-image-filter-1.21.5-13.oe2203sp4.x86_64.rpm","nginx-mod-http-perl-1.21.5-13.oe2203sp4.x86_64.rpm","nginx-mod-http-xslt-filter-1.21.5-13.oe2203sp4.x86_64.rpm","nginx-mod-mail-1.21.5-13.oe2203sp4.x86_64.rpm","nginx-mod-stream-1.21.5-13.oe2203sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2406"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42945"}],"database_specific":{"severity":"High"}}