CVE-2026-42945 — NGINX Heap Buffer Overflow RCE

CVE-2026-42945 — NGINX Heap Buffer Overflow RCE

No Comments

CVE: CVE-2026-42945
CVSS: 9.2 — Critical
Vendor: NGINX / F5
Affected Versions: 0.6.27 through 1.30.0
Vulnerability Type: Heap Buffer Overflow
Impact: Unauthenticated Remote Code Execution
PoC Available: Yes — publicly on GitHub
Disclosed: May 13, 2026

What Is It

CVE-2026-42945 is a critical heap buffer overflow vulnerability in NGINX’s ngx_http_rewrite_module — introduced in 2008 and impacting NGINX versions from 0.6.27 to 1.30.0. It was autonomously discovered by depthfirst’s security analysis system after a single click of onboarding the NGINX source code, alongside three other memory corruption issues.

The flaw is a deterministic heap buffer overflow that allows an unauthenticated attacker to crash worker processes or achieve Remote Code Execution. Given that NGINX sits in front of a massive portion of the public internet, the implications are staggering.

Root Cause

NGINX’s script engine uses a two-pass process to handle URI rewrites — first calculating the required memory length, then copying the data. The vulnerability occurs because the internal engine state changes between these two passes.

When a rewrite directive contains a question mark in its replacement string, the ngx_http_script_start_args_code function permanently sets the e->is_args = 1 flag on the script engine. This flag is never reset between script code evaluations.

The result: the length calculation pass sees is_args = 0 and returns the raw capture length. The copy pass sees is_args = 1 and calls ngx_escape_uri with NGX_ESCAPE_ARGS — expanding each escapable byte to 3 bytes. The buffer allocated in the first pass is undersized for the data written in the second pass, causing a heap buffer overflow with attacker-controlled escaped URI data written past the heap boundary.

Trigger Condition

This vulnerability requires both rewrite and set directives to trigger. These two directives are common building blocks in API gateway configurations — the rewrite directive changes the request URI based on regular expressions, and the set directive assigns values to custom variables, often used to capture and store the original path before rewriting occurs.

A vulnerable NGINX configuration example:location /api/ { rewrite ^/api/(.*)$ /v2/api/$1? break; set $original_path $1; }

Sibling CVEs — Full Batch

Four vulnerabilities were confirmed by NGINX from the same research batch:

CVE-2026-42945 — Critical, CVSS 9.2: Heap buffer overflow in ngx_http_rewrite_module leading to RCE.

CVE-2026-42946 — High, CVSS 8.3: Excessive memory allocation in ngx_http_scgi_module and ngx_http_uwsgi_module — a state mismatch after an incomplete upstream status line read causes a cross-buffer pointer subtraction producing a ~1TB key length, crashing the worker process.

CVE-2026-40701 — Medium, CVSS 6.3: Use after free in ngx_http_ssl_module — if a TLS connection closes before asynchronous OCSP DNS resolution completes, the context pool is destroyed without cancelling the resolver request. The DNS timer later dereferences the freed pointer.

CVE-2026-42934 — Medium, CVSS 6.3: Out-of-bounds read in ngx_http_charset_module — an off-by-one error when handling incomplete UTF-8 sequences across proxy buffer boundaries corrupts the length state.

Exploitation

The bug enables unauthenticated remote code execution against servers using rewrite and set directives. A proof-of-concept demonstrating RCE with ASLR off is publicly available on GitHub — making immediate remediation a top priority for global IT teams.

Attack vector: Network
Authentication required: None
User interaction: None
Complexity: Low — deterministic, reproducible heap overflow

Affected Scope

Given NGINX’s deployment footprint — powering nearly a third of all websites globally and serving as the primary reverse proxy and API gateway for enterprise deployments — the potential attack surface is enormous. Any organization running NGINX with rewrite and set directives in its configuration is at risk.

Detection

Look for in logs:

  • Malformed URI requests with unusual query string patterns against rewrite-configured endpoints
  • Worker process crashes — NGINX worker restarts in system logs
  • Unexpected heap corruption signals in application monitoring

Network indicators:

  • Unusual request patterns targeting API gateway endpoints with special character sequences in URI paths
  • High-volume requests to rewrite-configured locations from single source IPs

Remediation

Immediate:

  • Update NGINX to version 1.30.1 or later — patch released May 13, 2026
  • For NGINX Plus — apply the F5 advisory patch per K000161019

If patching is not immediately possible:

  • Audit NGINX configurations for rewrite + set directive combinations
  • Consider temporarily removing or modifying configurations that use both directives together
  • Deploy WAF rules to block requests with suspicious URI patterns targeting rewrite locations

Verify patch:nginx -v # Should return nginx/1.30.1 or later

F5 advisory reference: K000161019
Official disclosure: openwall.com/lists/oss-security/2026/05/13/7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.