Skip to main content
  1. Active Vulnerability List/
  2. 2026/

CVE-2026-42945 | NGINX | HO

FieldDetails
VulnerabilityCVE-2026-42945
NicknameNGINX Rift
Affected Componentngx_http_rewrite_module
TypeHeap buffer overflow in NGINX’s rewrite script engine
DescriptionNGINX Plus and NGINX Open Source contain a vulnerability in ngx_http_rewrite_module. The bug is triggered when a rewrite directive is followed by another rewrite, if, or set directive, and an unnamed PCRE capture such as $1 or $2 is used with a replacement string that contains a question mark (?). An unauthenticated attacker can send crafted HTTP requests that cause a heap buffer overflow in the NGINX worker process.
Official ImpactThe official advisory says the bug may cause the NGINX worker process to restart. It also states that code execution is possible when ASLR is disabled.
SeverityF5 CNA scores: CVSS v3.1 8.1 High and CVSS v4.0 9.2 Critical. The nginx.org security advisories page labels the issue severity as medium, so there is an official severity discrepancy between the advisory page and the CNA scoring.
Affected VersionsNGINX Open Source: 0.6.27 through 1.30.0.
NGINX Plus: R32 through R36.
Fixed VersionsNGINX Open Source: 1.30.1 and 1.31.0.
NGINX Plus: R36 P4, R35 P2, and R32 P6.
Root CauseNGINX’s rewrite script engine uses a two-pass process: first it computes the output length, then it copies data into the buffer. In the vulnerable path, the rewrite replacement sets is_args = 1 when the replacement contains ?, but the length-calculation pass runs in a freshly zeroed sub-engine where is_args = 0. As a result, the length pass computes the raw capture length, while the copy pass later calls ngx_escape_uri(..., NGX_ESCAPE_ARGS), which can expand escapable characters from 1 byte to 3 bytes and overflow the undersized heap buffer.
Trigger PatternThe vulnerable pattern is a rewrite with unnamed regex captures such as $1 or $2, where the replacement contains ?, followed by rewrite, if, or set. The depthfirst write-up and PoC environment highlight the especially common rewrite + set combination.
Example Vulnerable Patternnginx<br>location ~ ^/api/(.*)$ {<br> rewrite ^/api/(.*)$ /internal?migrated=true;<br> set $original_endpoint $1;<br>}<br>
Why ? MattersThe ? in the rewrite replacement causes NGINX to treat the remaining string as query-string related data and sets internal state that changes escaping behavior during the copy pass. This is the key condition that makes the length calculation and copy behavior diverge.
Exploitability ConditionsThe bug is remote and unauthenticated at the HTTP layer, but exploitation still depends on a vulnerable configuration being present. The official advisory says a crash is possible generally, and RCE becomes possible on systems with ASLR disabled.
What the Repo DemonstratesThe repo is an RCE proof of concept for CVE-2026-42945. It builds a vulnerable NGINX environment in Docker, disables ASLR with setarch x86_64 -R, and provides poc.py that can either execute an arbitrary command with --cmd or attempt a reverse shell with --shell.
PoC Environment DetailsThe repo says it was tested on Ubuntu 24.04.3 LTS. Its Docker environment compiles NGINX from source, checks out commit 98fc3bb78, exposes the vulnerable server on port 19321, and runs a simple Python backend on 127.0.0.1:19323.
Repo Exploitation StrategyThe repo describes cross-request heap feng shui. It uses the overflow to corrupt an adjacent ngx_pool_t structure’s cleanup pointer. Because URI bytes cannot safely carry arbitrary null-containing pointers, the PoC sprays heap data using POST bodies, placing a fake ngx_pool_cleanup_s structure and command string in memory, then redirects cleanup handling so system() is invoked when the victim pool is destroyed.
Key Technical PrimitiveThe exploit aims to turn a controllable overflow into a cleanup callback hijack by abusing the ngx_pool_t cleanup linked-list mechanism during pool destruction.
Why POST Bodies Are Used in the PoCThe write-up explains that request URIs are heavily constrained by URI parsing and escaping, making them unsuitable for arbitrary binary data. The PoC instead uses POST request bodies as a spray mechanism because they can carry raw binary data including null bytes.
Visible PoC MechanicsIn poc.py, the spray phase uses repeated POST /spray requests with a long body and X-Delay: 60. The trigger phase sends a crafted GET /api/... request containing a large sequence of characters, including many + characters to maximize expansion by ngx_escape_uri. The script also checks whether the worker crashed or became unresponsive after the trigger.
Operational CaveatThe public repo demonstrates RCE only in a lab setup with ASLR disabled. That matches the official advisory, which explicitly says code execution is possible on systems with ASLR disabled.
Exposure / Detection GuidanceThe most important detection step is configuration review. Search NGINX configs for a rewrite that uses unnamed captures like $1 or $2, where the replacement contains ?, and that is followed by rewrite, if, or set. Any affected NGINX version with that pattern should be treated as exposed until patched or reconfigured.
Runtime SymptomsOfficially documented runtime impact includes worker process restart. In a lab context, suspicious behavior would include crafted requests to vulnerable locations causing worker crashes, hangs, or instability.
MitigationUpgrade to NGINX Open Source 1.30.1 or 1.31.0, or the corresponding NGINX Plus fixed releases. If immediate patching is not possible, remove or refactor the vulnerable configuration pattern so the risky rewrite plus unnamed capture plus ? combination is no longer followed by rewrite, if, or set.
Related Issues Disclosed Alongside ItThe repo notes that the same automated analysis also found CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934, but this repo specifically targets CVE-2026-42945.
References- https://github.com/DepthFirstDisclosures/Nginx-Rift
- https://depthfirst.com/nginx-rift
- https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2026-42945
- https://nginx.org/en/security_advisories.html
- https://seclists.org/oss-sec/2026/q2/519