nginx:1.26 security update

エラータID: AXSA:2026-705:01

Release date: 
Thursday, May 21, 2026 - 18:52
Subject: 
nginx:1.26 security update
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

nginx is a web and proxy server supporting HTTP and other protocols, with a
focus on high concurrency, performance, and low memory usage.

Security Fix(es):

nginx: NGINX: Arbitrary Code Execution Vulnerability (CVE-2026-42945)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2026-42945
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Modularity name: "nginx"
Stream name: "1.26"

Solution: 

Update packages.

CVEs: 
CVE-2026-42945
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Additional Info: 

N/A

Download: 

SRPMS
  1. nginx-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.src.rpm
    MD5: 4312416c35879a50a3f8fe2ae65a4a59
    SHA-256: 3f9a7f8da796e6355ae21d6cee69fc773fb2f171fd4fa18fcfd7a5161ab2c2fd
    Size: 1.28 MB

Asianux Server 9 for x86_64
  1. nginx-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.x86_64.rpm
    MD5: 7cdebbf9a2ae57ddfd9923bfb8d9a3a4
    SHA-256: 3214e160f12b2d0c26c8d457eb0073ebd8f87bf107442116439344f97170d850
    Size: 35.43 kB
  2. nginx-all-modules-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.noarch.rpm
    MD5: 9fb1448e7394b67e4b1aa93d1cfd7238
    SHA-256: 8c438e47293b38166981baf10c8ed1f7c504021e5d61a3e8a0f0ac3fb2a79dcc
    Size: 8.04 kB
  3. nginx-core-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.x86_64.rpm
    MD5: f5fecf206f2d5e25a3320aea11e034c1
    SHA-256: 7790cd492fe09dd687906c4863f282dedd267382a08dd265e98949308711f577
    Size: 666.44 kB
  4. nginx-debugsource-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.x86_64.rpm
    MD5: 6e721c3cb66b44d89ecc048620c4490a
    SHA-256: 5f4f620960a6712556702728a7dfdfe33a3ed1f66a96408bc5bff695c311b042
    Size: 701.20 kB
  5. nginx-filesystem-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.noarch.rpm
    MD5: a47673f5fa99834ee77e0269ccb55d9a
    SHA-256: 2c0d9cec66954d89e4e3bb719bc344e494c27ce1d226e640291189678bc842a0
    Size: 9.51 kB
  6. nginx-mod-devel-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.x86_64.rpm
    MD5: cac473d706ca0b1377f0a0e557163b25
    SHA-256: 1bff50e3f10f20340537151ad73b37c574ef92c4e25e7d5e64d2dd56bc5afa7b
    Size: 0.96 MB
  7. nginx-mod-http-image-filter-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.x86_64.rpm
    MD5: a828b35ea7e25612026d9d126c0ceed3
    SHA-256: 9ec877707a90a562aca95b75154cca3c75dbdcd07f3d6c9079a9eaafc3cefb17
    Size: 19.66 kB
  8. nginx-mod-http-perl-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.x86_64.rpm
    MD5: ea4cd8f5c3c1846695ba6abd9b71cf2c
    SHA-256: 47dd76182093a4b8461bfdec1a8f1a6d2ecd4e807c491c3510887fbe2b2a414c
    Size: 31.02 kB
  9. nginx-mod-http-xslt-filter-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.x86_64.rpm
    MD5: bfb8f2cd3043c1f224770d5ee679dc8c
    SHA-256: 738893d3e06c661db969a95cf60ae37e5ae1aae4b5c7345430fb1cf49e4e6e21
    Size: 18.32 kB
  10. nginx-mod-mail-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.x86_64.rpm
    MD5: 8e292ff8f4faee52fb410aa315473f9a
    SHA-256: 9bf12d6493c2b5bac22208c944e3e4b02c433138721f78a7cc66bd2dc91a3e48
    Size: 53.07 kB
  11. nginx-mod-stream-1.26.3-2.module+el9+1154+5cc10db0.1.ML.1.x86_64.rpm
    MD5: f12a1dd6e8f5cd5180bd69f8c12814b9
    SHA-256: 538ff9d39958955d31f4cd2c42f0e63d6021c614223552bdbbefa28e1d005a45
    Size: 84.86 kB