Loading...
Loading...
A critical heap-buffer-overflow (CVE-2026-42945, CVSS 9.2) in NGINX's ngx_http_rewrite_module lets unauthenticated remote attackers send a crafted URI to crash workers or achieve remote code execution. The vulnerability is triggered by a common config pattern: an unnamed PCRE capture ($1, $2) with a replacement string containing a question mark followed by another rewrite/if/set in the same scope. NGINX computes a destination buffer with one escaping assumption but writes using another, producin
This vulnerability enables unauthenticated remote code execution in a widely deployed web server module, creating urgent risk for production infrastructure and hosting providers. Tech teams must assess exposure, patch, and adjust rewrite configurations to prevent exploitation.
Dossier last updated: 2026-05-14 17:47:27
A critical heap buffer overflow (CVE-2026-42945) in NGINX's ngx_http_rewrite_module enables unauthenticated remote code execution by exploiting a two-pass script-engine bug when rewrite replacements include a '?'. DepthFirst's automated analysis system found this issue plus three other memory-corruption flaws (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934). The flaw arises because the length-calculation pass uses a zeroed sub-engine while the copy pass treats the data as URI args, causing NGX_ESCAPE_ARGS expansion to overflow an undersized heap buffer; attackers can then corrupt an adjacent ngx_pool_t cleanup pointer to trigger system() and achieve RCE. NGINX Open Source and NGINX Plus versions are listed with fixed releases; a PoC and containerized test setup are provided. This matters because widely deployed NGINX servers using rewrite/set directives were remotely exploitable without authentication.
A critical heap buffer overflow (CVE-2026-42945) in NGINX's ngx_http_rewrite_module, introduced in 2008, enables unauthenticated remote code execution when rewrite and set directives are used. Depthfirst's automated analysis system discovered this and three other memory-corruption flaws (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934). The bug stems from a mismatch between the length-calculation and copy passes in NGINX's script engine: the length pass omits escaping logic while the copy pass applies NGX_ESCAPE_ARGS, expanding bytes and overflowing an undersized heap buffer. Exploits use cross-request heap manipulation to overwrite a pool cleanup pointer and invoke system(), achieving command execution. NGINX Open Source and NGINX Plus have issued fixes; a PoC and vendor advisory are available.
Researchers disclosed a set of NGINX vulnerabilities including a critical CVE-2026-42945 that dates back to 2008 and affects roughly one-third of web servers worldwide. The flaws, found by depthfirst during an automated codebase scan, allow unauthenticated attackers to crash worker processes via crafted HTTP requests and, under certain conditions (and with ASLR disabled or through repeated exploitation attempts), achieve remote code execution by triggering a buffer overflow in ngx_http_rewrite_module’s handling of escaped parameters. NGINX confirmed four of five issues and released fixed versions: Open Source 1.31.0/1.30.1 and Plus R36 P4/R32 P6; a mitigation is converting unnamed regex captures in rewrite rules to named captures. The broad impact and long-lived nature make prompt patching essential for internet infrastructure security.
A critical heap-buffer-overflow (CVE-2026-42945, CVSS 9.2) in NGINX's ngx_http_rewrite_module lets unauthenticated remote attackers send a crafted URI to crash workers or achieve remote code execution. The vulnerability is triggered by a common config pattern: an unnamed PCRE capture ($1, $2) with a replacement string containing a question mark followed by another rewrite/if/set in the same scope. NGINX computes a destination buffer with one escaping assumption but writes using another, producing deterministic overflow shaped by attacker-controlled URI bytes. Affected builds include many NGINX Open Source and Plus releases, several F5/NGINX modules, and ingress/controller versions. Patch or reconfigure: upgrade to fixed releases (e.g., Open Source 1.31.0/1.30.1) or replace unnamed captures with named captures until patched.