Critical Nginx Vulnerability Allows Unauthenticated Remote Code Execution
Autonomous discovery by DepthFirstDisclosures reveals the flaw has existed since 2008, with proof-of-concept exploits now available on GitHub.
A critical security flaw has been identified in the NGINX web server software, allowing unauthenticated attackers to execute remote code on affected systems. The vulnerability, designated CVE-2026-42945, resides in the ngx_http_rewrite_module and enables remote code execution through a heap buffer overflow. The issue was autonomously discovered by the security analysis system of DepthFirstDisclosures, with a proof-of-concept exploit subsequently published on GitHub under the repository DepthFirstDisclosures/Nginx-Rift.
The flaw originates from a logic error in NGINX’s script engine, which utilises a two-pass process to handle rewrite and set directives. During the first pass, the engine computes the required buffer size, while the second pass copies data into that buffer. A discrepancy in how the is_args flag is handled allows attacker-controlled URI data to overflow an undersized heap buffer. Specifically, the flag is set on the main engine when a rewrite replacement contains a question mark, but the length-calculation pass operates on a freshly zeroed sub-engine, leading to a miscalculation of the necessary buffer space.
Exploitation of this vulnerability involves sophisticated memory manipulation techniques known as cross-request heap feng shui. Attackers can corrupt an adjacent ngx_pool_t’s cleanup pointer by spraying POST bodies, as URI bytes cannot contain null bytes. This corruption redirects the pointer to a fake ngx_pool_cleanup_s structure, which invokes the system() command when the pool is destroyed. The vulnerability affects servers utilising rewrite and set directives, posing a significant risk to infrastructure relying on these configurations.
The ngx_http_rewrite_module has been part of NGINX since its introduction in 2008, meaning the underlying code structure has been susceptible to this specific logic error for over a decade. The discovery of CVE-2026-42945 was part of a broader discovery cycle that identified three other memory corruption issues: CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934. These findings were generated after the DepthFirstDisclosures system onboarded the NGINX source code, highlighting the efficacy of autonomous analysis in identifying long-standing defects.
F5 has issued a vendor advisory, identified as K000160932, regarding the vulnerability. The disclosure underscores the importance of patching and monitoring for exploitation attempts, particularly given the availability of public exploit code. Organisations managing NGINX deployments are advised to review their configurations and apply necessary updates to mitigate the risk of unauthenticated remote code execution.
