Notice of the CVE-2026-42945 NGINX Ingress Controller Vulnerability
This is a heap buffer overflow vulnerability in the Nginx module. For the Nginx services that match the conditions, this vulnerability will cause the worker process to crash and restart, resulting in DoS attacks. For Nginx services with Address Space Layout Randomization (ASLR) disabled, they are vulnerable to Remote Code Execution (RCE) attacks.
The Kubernetes community NGINX Ingress Controllers have been using Nginx 1.27.1 since v1.13.3. This version is affected by CVE-2026-42945.
Description
| Type | CVE-ID | Severity | Discovered |
|---|---|---|---|
| Denial of service or remote code execution (RCE) | Critical | 2026-05-13 |
Impact
This vulnerability affects the open-source NGINX Ingress Controller of the following versions:
- v1.13.9 or earlier
- v1.14.5 or earlier
This vulnerability affects the CCE NGINX Ingress Controller add-on v5.0.14, v6.0.24, and earlier. Although ASLR is enabled by default in the OS images released by CCE to prevent RCE attacks, DoS attacks may still occur. Refer to NGINX Ingress Controller Release History for the details about the mapping between the CCE NGINX Ingress Controller add-on and open-source versions.
Identification Method
- Go to Add-ons and check whether the NGINX Ingress Controller add-on has been installed and its version. Figure 1 Viewing the installed add-on version
- If the add-on version is 5.0.14, 6.0.24, or earlier, the add-on is affected by this vulnerability. In this case, go to step 3. If the add-on version is not 5.0.14, 6.0.24, or earlier, the add-on is not affected by this vulnerability.
- Check the Nginx configuration in the pods for running the CCE NGINX Ingress Controller add-on.
Run the following command to view the pods of the installed CCE NGINX Ingress Controller add-on:
kubectl get po -A|grep cceaddon-nginx-ingress|grep controller
As shown in the figure, two pods are running the NGINX Ingress Controller.

View the rewrite configuration in the nginx.conf file.
kubectl exec -it cceaddon-nginx-ingress-controller-8d44d5bb5-csqfj -n kube-system -- cat /etc/nginx/nginx.conf |grep -A 5 -B 5 rewrite
The Nginx rewrite configuration meets the following conditions, which may trigger the vulnerability:
- The replacement string of the rewrite directive contains a question mark (?).
- The set, rewrite, or if directive is then used to reference an unnamed capture, such as $1 or $2.
Common configuration examples (all of which are risky):
- Example 1: API routing
rewrite ^/api/(.*)$ /internal?migrated=true; set $original_endpoint $1;
- Example 2: WordPress permanent link
rewrite ^/(.*)$ /index.php?q=$1; set $wp_path $1;
- Example 3: PHP front controller
rewrite ^/app/(.*)$ /app.php?path=$1 last; set $route $1;
Vulnerability Mitigation Solution
Before fixing these vulnerabilities, grant only the permissions for creating and managing ingresses to trusted users based on the principle of least privilege. For details, see Namespace Permissions (Kubernetes RBAC-based).
If the check result shows that the vulnerability triggering conditions are met, you can harden the ingress configuration by performing the following operations:
- Check the ingress configuration.
kubectl get ingress -A -o yaml | grep -A 5 -B 5 "nginx.ingress.kubernetes.io/rewrite-target" kubectl get ingress -A -o yaml | grep -A 5 -B 5 "nginx.ingress.kubernetes.io/configuration-snippet"
- Use named captures. Replace unnamed captures (such as $1 and $2) in the dangerous rewrite and set directive combinations in all configurations with named captures (such as (?<name>...)).
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: safe-ingress annotations: # Use the named capture $path and retain the question mark (but the named capture can mitigate the vulnerability). nginx.ingress.kubernetes.io/rewrite-target: /new-path/$path? nginx.ingress.kubernetes.io/configuration-snippet: | set $my_var $uri; # Subsequent directives still exist, but the vulnerability is mitigated because a named capture is used. spec: rules: - host: example.com http: paths: - path: /old/(?<path>.*) # Define the path of the named capture. pathType: Prefix backend: service: name: backend-svc port: number: 80 - Modify nginx.ingress.kubernetes.io/configuration-snippet in the annotation of the ingress by referring to step 2.
Vulnerability Fixing Solution
CCE will release a new version of the NGINX Ingress Controller add-on that addresses this vulnerability. Keep an eye out for NGINX Ingress Controller Release History.
Helpful Links
Official Nginx security advisories: https://nginx.org/en/security_advisories.html
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.