CVE-2026-42533 in NGINX Plus
Summary
by MITRE • 07/15/2026
A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Impact: This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
This vulnerability resides within the NGINX web server software family, specifically affecting both NGINX Plus and NGINX Open Source implementations. The flaw manifests in the handling of map directives that utilize regular expression matching combined with string expressions referencing capture variables. According to CWE-121, this represents a classic heap-based buffer overflow condition that occurs when memory is accessed beyond its allocated bounds. The vulnerability operates at the data plane level, meaning it affects the processing of incoming network traffic rather than administrative functions, making it particularly concerning for systems handling high volumes of HTTP requests. The issue stems from improper variable evaluation order within NGINX's internal processing engine where regex capture variables are referenced before the map output variable, creating a scenario where memory corruption can occur during string interpolation.
The technical exploitation requires an attacker to craft specific HTTP requests that trigger the problematic code path within NGINX worker processes. This condition can be achieved through careful manipulation of map directive configurations that combine regex patterns with variable references in the wrong order. The vulnerability's impact is multifaceted, as it can lead to both denial-of-service conditions and potential code execution depending on system security mitigations. When Address Space Layout Randomization (ASLR) is disabled or bypassed, attackers gain additional capabilities to execute arbitrary code, making this vulnerability particularly dangerous in environments where security hardening has been insufficient. The heap buffer overflow occurs during the processing of HTTP requests, causing NGINX worker processes to crash and restart, thereby disrupting service availability.
From an operational perspective, this vulnerability represents a significant risk to web server availability and system integrity within organizations relying on NGINX for traffic management. The attack vector requires only unauthenticated access to send specially crafted HTTP requests, making it accessible to any external party with network connectivity to the affected systems. Security practitioners should note that this issue affects the core data plane processing functionality of NGINX, meaning that even well-configured firewalls or access controls may not prevent exploitation since the vulnerability occurs during normal request processing. The impact extends beyond simple service disruption as code execution capabilities present a potential pathway for attackers to establish persistent access or escalate privileges within affected environments.
Mitigation strategies should focus on immediate patching of affected NGINX versions, as well as implementing configuration changes that avoid the problematic map directive usage patterns. Organizations should review all map directives containing regex matching and variable references to ensure proper ordering and avoid referencing capture variables before output variables. Network segmentation and monitoring for unusual traffic patterns can provide early detection of exploitation attempts. The vulnerability aligns with ATT&CK technique T1498 which involves denial-of-service attacks, while also potentially enabling T1059 for code execution when ASLR is bypassed or disabled. Given that this affects systems at the data plane level, implementing additional monitoring within NGINX logs for worker process restarts or memory anomalies can provide valuable threat detection capabilities for organizations that cannot immediately patch their systems.