Nginx Buffer Overflow Bug Allows Remote Code Execution

Key Takeaways

• CVE-2026-42945 is a heap buffer overflow in Nginx's ngx_http_rewrite_module present since 2008
• The bug enables unauthenticated remote code execution on servers using rewrite and set directives
• Nginx Open Source users should upgrade to 1.31.0 or 1.30.1; Nginx Plus users need R36 P4, R35 P2, or R32 P6

The Bug That Hid for 16 Years

A critical security vulnerability in Nginx has been sitting in plain sight since 2008. Security researchers at DepthFirst discovered CVE-2026-42945, a heap buffer overflow in Nginx's ngx_http_rewrite_module that allows unauthenticated attackers to execute arbitrary code on vulnerable servers.

The flaw affects Nginx Open Source versions 0.6.27 through 1.30.0, and Nginx Plus versions R32 through R36. Given that Nginx powers roughly a third of the internet's web servers, the exposure is significant.

DepthFirst claims their autonomous security analysis system found this vulnerability, along with three other memory corruption issues, after simply onboarding the Nginx source code. The companion CVEs are CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934.

How the Exploit Works

Nginx's script engine processes rewrite directives in two passes. First, it calculates the required buffer size. Then it copies data into that buffer. The vulnerability exploits a mismatch between these two passes.

When a rewrite replacement contains a question mark, Nginx sets an is_args flag on the main engine. But the length calculation runs on a fresh sub-engine where is_args is zero. The length pass returns the raw capture length. The copy pass sees is_args as 1 and calls ngx_escape_uri with NGX_ESCAPE_ARGS, which expands certain bytes to three bytes each.

The result: the copy operation overflows the undersized heap buffer with attacker-controlled URI data.

DepthFirst's proof of concept uses what they call cross-request heap feng shui. The attack corrupts an adjacent ngx_pool_t's cleanup pointer using POST bodies, since URI bytes cannot contain null bytes. This redirects execution to a fake ngx_pool_cleanup_s that invokes system() when the pool is destroyed.

Which Servers Are Vulnerable

Not every Nginx installation is at risk. The vulnerability specifically affects servers that use rewrite and set directives in their configuration. If your Nginx config does not use these features, you are not exposed to this particular attack.

That said, rewrite rules are extremely common. They handle URL redirects, clean URLs, proxy configurations, and countless other routing tasks. Most production Nginx deployments use them somewhere.

Patched Versions

F5, which maintains Nginx, has released patches for both product lines:

• Nginx Open Source: upgrade to 1.31.0 or 1.30.1
• Nginx Plus R36: upgrade to R36 P4
• Nginx Plus R35: upgrade to R35 P2
• Nginx Plus R32: upgrade to R32 P6

The full vendor advisory is available at F5's support portal under article K000160932.

Proof of Concept Is Public

DepthFirst has published a working proof of concept on GitHub. The exploit was tested on Ubuntu 24.04.3 LTS and includes a Docker setup for spinning up a vulnerable Nginx server. Running python3 poc.py --shell pops a shell on the target.

Public exploit code means this is not a theoretical risk. Anyone can download and run it. Organizations running unpatched Nginx installations should treat this as an active threat.

What to Do Now

1. Check your Nginx version: run nginx -v on your servers
2. Review your configs for rewrite and set directives to assess exposure
3. Apply the patch or upgrade to a fixed version immediately
4. Monitor access logs for unusual URI patterns in POST requests
5. Consider WAF rules to block suspiciously long or escape-heavy URIs as a temporary mitigation

Frequently Asked Questions

What is CVE-2026-42945?

CVE-2026-42945 is a critical heap buffer overflow vulnerability in Nginx's ngx_http_rewrite_module. It allows unauthenticated attackers to execute arbitrary code on vulnerable servers that use rewrite and set directives.

Which Nginx versions are affected by this vulnerability?

Nginx Open Source versions 0.6.27 through 1.30.0 and Nginx Plus versions R32 through R36 are affected. Fixed versions are Nginx Open Source 1.31.0 or 1.30.1, and corresponding Nginx Plus patches.

How do I know if my Nginx server is vulnerable?

Check your version with nginx -v. If you are running an affected version and your configuration uses rewrite or set directives, you are vulnerable. Review your nginx.conf and any included config files for these directives.

Is there a public exploit available for CVE-2026-42945?

Yes. DepthFirst has published a working proof of concept on GitHub that can pop a shell on vulnerable servers. This increases the urgency of patching.

How long has this Nginx vulnerability existed?

The vulnerability was introduced in 2008 with Nginx version 0.6.27, meaning it has been present in the codebase for approximately 16 years.

Source: Hacker News: Best