Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice of the CVE-2026-42945 NGINX Ingress Controller Vulnerability
Updated on 2026-05-20 GMT+08:00

Notice of the CVE-2026-42945 NGINX Ingress Controller Vulnerability

This is a heap buffer overflow vulnerability in the Nginx module. For the Nginx services that match the conditions, this vulnerability will cause the worker process to crash and restart, resulting in DoS attacks. For Nginx services with Address Space Layout Randomization (ASLR) disabled, they are vulnerable to Remote Code Execution (RCE) attacks.

The Kubernetes community NGINX Ingress Controllers have been using Nginx 1.27.1 since v1.13.3. This version is affected by CVE-2026-42945.

Description

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Denial of service or remote code execution (RCE)

CVE-2026-42945

Critical

2026-05-13

Impact

This vulnerability affects the open-source NGINX Ingress Controller of the following versions:

  • v1.13.9 or earlier
  • v1.14.5 or earlier

This vulnerability affects the CCE NGINX Ingress Controller add-on v5.0.14, v6.0.24, and earlier. Although ASLR is enabled by default in the OS images released by CCE to prevent RCE attacks, DoS attacks may still occur. Refer to NGINX Ingress Controller Release History for the details about the mapping between the CCE NGINX Ingress Controller add-on and open-source versions.

Identification Method

  1. Go to Add-ons and check whether the NGINX Ingress Controller add-on has been installed and its version.
    Figure 1 Viewing the installed add-on version

  2. If the add-on version is 5.0.14, 6.0.24, or earlier, the add-on is affected by this vulnerability. In this case, go to step 3. If the add-on version is not 5.0.14, 6.0.24, or earlier, the add-on is not affected by this vulnerability.
  3. Check the Nginx configuration in the pods for running the CCE NGINX Ingress Controller add-on.

    Run the following command to view the pods of the installed CCE NGINX Ingress Controller add-on:

    kubectl get po -A|grep cceaddon-nginx-ingress|grep controller

    As shown in the figure, two pods are running the NGINX Ingress Controller.

    View the rewrite configuration in the nginx.conf file.

    kubectl exec -it cceaddon-nginx-ingress-controller-8d44d5bb5-csqfj -n kube-system -- cat /etc/nginx/nginx.conf |grep -A 5 -B 5 rewrite

    The Nginx rewrite configuration meets the following conditions, which may trigger the vulnerability:

    1. The replacement string of the rewrite directive contains a question mark (?).
    2. The set, rewrite, or if directive is then used to reference an unnamed capture, such as $1 or $2.

    Common configuration examples (all of which are risky):

    • Example 1: API routing
      rewrite ^/api/(.*)$ /internal?migrated=true;
      set $original_endpoint $1;
    • Example 2: WordPress permanent link
      rewrite ^/(.*)$ /index.php?q=$1;
      set $wp_path $1;
    • Example 3: PHP front controller
      rewrite ^/app/(.*)$ /app.php?path=$1 last;
      set $route $1;

Vulnerability Mitigation Solution

Before fixing these vulnerabilities, grant only the permissions for creating and managing ingresses to trusted users based on the principle of least privilege. For details, see Namespace Permissions (Kubernetes RBAC-based).

If the check result shows that the vulnerability triggering conditions are met, you can harden the ingress configuration by performing the following operations:

  1. Check the ingress configuration.
    kubectl get ingress -A -o yaml | grep -A 5 -B 5 "nginx.ingress.kubernetes.io/rewrite-target"
    kubectl get ingress -A -o yaml | grep -A 5 -B 5 "nginx.ingress.kubernetes.io/configuration-snippet"
  2. Use named captures.
    Replace unnamed captures (such as $1 and $2) in the dangerous rewrite and set directive combinations in all configurations with named captures (such as (?<name>...)).
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: safe-ingress
      annotations:
        # Use the named capture $path and retain the question mark (but the named capture can mitigate the vulnerability).
        nginx.ingress.kubernetes.io/rewrite-target: /new-path/$path?
        nginx.ingress.kubernetes.io/configuration-snippet: |
          set $my_var $uri;   # Subsequent directives still exist, but the vulnerability is mitigated because a named capture is used.
    spec:
      rules:
      - host: example.com
        http:
          paths:
          - path: /old/(?<path>.*)   # Define the path of the named capture.
            pathType: Prefix
            backend:
              service:
                name: backend-svc
                port:
                  number: 80
  3. Modify nginx.ingress.kubernetes.io/configuration-snippet in the annotation of the ingress by referring to step 2.

Vulnerability Fixing Solution

CCE will release a new version of the NGINX Ingress Controller add-on that addresses this vulnerability. Keep an eye out for NGINX Ingress Controller Release History.

Helpful Links

Official Nginx security advisories: https://nginx.org/en/security_advisories.html