CVE-2026-42945: CVE-2026-42945: Heap-based Buffer Overflow in NGINX ngx_http_rewrite_module

CVE-2026-42945: Heap-based Buffer Overflow in NGINX ngx_http_rewrite_module

Vulnerability ID: CVE-2026-42945
CVSS Score: 8.1
Published: 2026-05-13

A heap-based buffer overflow vulnerability exists in the NGINX ngx_http_rewrite_module due to an inconsistency in the two-pass script execution engine. Discovered by depthfirst, this flaw allows unauthenticated remote attackers to trigger memory corruption under specific configuration conditions, resulting in denial of service or remote code execution.

TL;DR

CVE-2026-42945 is a critical heap buffer overflow in NGINX's rewrite module. An unauthenticated attacker can crash worker processes or execute arbitrary code if the server configuration combines specific rewrite and capture directives.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-122
• Attack Vector: Network
• CVSS Score: 8.1
• Impact: Remote Code Execution / Denial of Service
• Exploit Status: Proof of Concept Available
• CISA KEV: Not Listed

Affected Systems

• NGINX Open Source
• NGINX Plus
• NGINX Open Source: >= 0.6.27, <= 1.30.0 (Fixed in: 1.30.1)
• NGINX Plus: >= R32, <= R36 (Fixed in: R36 P4)

Exploit Details

• GitHub: Proof of Concept code demonstrating the heap overflow conditions and memory corruption via NGINX rewrite evaluation.

Mitigation Strategies

• Upgrade NGINX Open Source to version 1.30.1 or 1.31.0.
• Upgrade NGINX Plus to version R36 P4, R32 P6, or R37.
• Replace unnamed regex capture groups (e.g., $1) with named capture groups in configuration files.
• Audit nginx.conf for rewrite directives containing '?' followed by variable assignments.
• Deploy WAF rules to detect payloads with excessive space or ampersand characters directed at rewrite endpoints.

Remediation Steps:

1. Identify all NGINX instances operating versions 0.6.27 through 1.30.0.
2. Analyze configuration files for the specific vulnerable pattern: rewrite containing ? preceding unnamed capture usage.
3. If patching is not immediately feasible, modify the configuration to use named regex captures (e.g., (?<varname>.*)).
4. Test the configuration syntax using nginx -t to ensure no routing disruptions occur.
5. Download and install the patched binary versions via your operating system package manager or from source.
6. Restart the NGINX service to apply the updated binaries.

References

• F5/NGINX Advisory: K000161019
• NGINX Rift - depthfirst Technical Analysis
• NGINX Security Advisories
• DepthFirstDisclosures/Nginx-Rift PoC Repository
• OSS Security Mailing List Notification

---

Read the full report for CVE-2026-42945 on our website for more details including interactive diagrams and full exploit analysis.