nginx:1.24 security update

エラータID: AXSA:2026-645:01

Release date: 
Tuesday, May 19, 2026 - 18:13
Subject: 
nginx:1.24 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage.

Security Fix(es):

* nginx: NGINX: Arbitrary Code Execution Vulnerability (CVE-2026-42945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-42945
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Modularity name: "nginx"
Stream name: "1.24"

Solution: 

Update packages.

CVEs: 
CVE-2026-42945
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Additional Info: 

N/A

Download: 

SRPMS
  1. nginx-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.src.rpm
    MD5: cc1de50871785d44d2065f1ef25cd8ab
    SHA-256: f67d03ad75af5abb746f1db707691a3b3281d38258f72396f23ba165b223c07b
    Size: 1.11 MB

Asianux Server 8 for x86_64
  1. nginx-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.x86_64.rpm
    MD5: 5094a68b2c089431e79ebd5c0771351b
    SHA-256: f0d264513888149d4c0a026d12e0cd32ff91cf5db41c7a6e4d93a44881d8e21b
    Size: 600.10 kB
  2. nginx-all-modules-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.noarch.rpm
    MD5: ee53d7aaf7e7cf6d3c6cfe3f8ddb5e8e
    SHA-256: 475f4aaa827901bc67454a2f410255b13065e0bc40cb9f79069faea163f7bd28
    Size: 25.29 kB
  3. nginx-debugsource-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.x86_64.rpm
    MD5: 04f85fe498963a0029579189197df89c
    SHA-256: c676c9749e425e5b6b8c16d7aebed38caa213a1353a06951de6f93a286335ea5
    Size: 697.46 kB
  4. nginx-filesystem-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.noarch.rpm
    MD5: 56bdd1c84f49539dfe1d9615edc9462a
    SHA-256: edadb7a0230a28ebb2b841ab72ce7ec458ce2a177afd8215d315069de53df140
    Size: 26.25 kB
  5. nginx-mod-devel-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.x86_64.rpm
    MD5: 16e152fab4230d47da48dd62e96a8cdc
    SHA-256: 7462cedf8f7df0367aa56622acc25c65c29f474e96a9c689756f14b69cd1b4a9
    Size: 966.65 kB
  6. nginx-mod-http-image-filter-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.x86_64.rpm
    MD5: f20f28d625922520dad7685e1a9c645f
    SHA-256: 0093288873b3ffe230637bc2ea203051fde45a29ace06b1d66b950671addb24d
    Size: 36.69 kB
  7. nginx-mod-http-perl-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.x86_64.rpm
    MD5: 47a0ada31cb6f7e7016aed66b4b2233b
    SHA-256: 8cd7a882e2ce411ffefa1db0420bc46f3dcbfcc9631ffa5a67404cf770c1f643
    Size: 48.45 kB
  8. nginx-mod-http-xslt-filter-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.x86_64.rpm
    MD5: 02065f6699c0059e3512c99a04ffff5f
    SHA-256: 883a769920a7fde82b22d7109d1f4197c8cfd912f38e378c0c74b0d533a2f5f3
    Size: 35.32 kB
  9. nginx-mod-mail-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.x86_64.rpm
    MD5: 67939e12cb75b9a650ce9aa8fdf55bca
    SHA-256: 4111b3fc792b36bad334397c95d405ca23c17fc40e515114d910c1b519245445
    Size: 68.95 kB
  10. nginx-mod-stream-1.24.0-3.module+el8+1979+2ecbefa4.1.ML.1.x86_64.rpm
    MD5: df964fb18215f92fef53baa4c6a42418
    SHA-256: 1f15d0de5bb7f7f7b09232359d8a88c4079e07e3f8b44e61a81e0cad62f745ec
    Size: 95.92 kB