Ubuntu has published USN-8271-1 for a new nginx vulnerability tracked as CVE-2026-42945.

The issue affects the ngx_http_rewrite_module component and can be triggered through specially crafted HTTP requests involving certain rewrite directives and PCRE captures.

A successful attack may:

  • crash nginx worker processes and cause a denial of service
  • possibly allow remote code execution on systems without ASLR enabled

According to F5 Networks, the vulnerability exists when a rewrite directive is followed by another rewrite, if, or set directive using unnamed PCRE captures like $1 or $2 combined with replacement strings containing a question mark (?).

Exploitation does not require authentication, although researchers note there are additional conditions required for successful exploitation.

Ubuntu Advisory: https://ubuntu.com/security/notices/USN-8271-1 CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-42945