New Nginx Vulnerability CVE-2026-42945

Hi guys,

New critical vulnerability CVE-2026-42945 was discovered in nginx webserver:
https://www.picussecurity.com/resource/blog/nginx-rift-cve-2026-42945-critical-heap-buffer-overflow-vulnerability-explained

Almalinux developers released the patched version of nginx:
https://almalinux.org/ru/blog/2026-05-13-nginx-rift-cve-2026-42945/

To fix it is enough to run:

Code: [Select]

dnf update
service nginx restart
and then check the nginx version to make sure you are safe.

AlmaLinux's official instructions are close to that:

Code: [Select]

sudo dnf clean metadata && sudo dnf upgrade nginx
sudo systemctl restart nginxBut seemingly not that simple with the CWP-installed 1.24 version. And Sandeep's guide for updating to 1.26 on AlphaGNU is outdated:
https://www.alphagnu.com/topic/587-brotli-and-nginx-1262-issues/

Successfully updated to nginx 1.31.0 by following Sandeep's guide (choose the mainline version, not stable):
https://www.alphagnu.com/topic/55-how-to-install-latest-stablemainline-nginx-in-cwp-centos-89-stream-almalinux-89-rockylinux-89/
but for the actual install line you have to ignore system excludes:

Code: [Select]

dnf install --disableexcludes=all --disableplugin="*" nginx -y

Thank you @overseer for your work and post.  Much appreciated.

Only thing I had to do was restore the original /etc/nginx/nginx.conf as there were a few errors with the mainline default.

Anyone else on this path, always a good idea to copy/save your conf directories.

Funny, my upgrade gracefully handled it as it should: An nginx.conf.rpmnew file was created during the update when an upstream Nginx configuration file has changed, but you have manually modified the active configuration file beyond the defaults. Instead of overwriting the customizations, the package manager saves the new default configuration as .rpmnew to prevent service downtime.

Check for /etc/nginx/nginx.conf.rpmnew