CVE-2026-42945 | NGINX | HO
| Field | Details |
|---|---|
| Vulnerability | CVE-2026-42945 |
| Nickname | NGINX Rift |
| Affected Component | ngx_http_rewrite_module |
| Type | Heap buffer overflow in NGINX’s rewrite script engine |
| Description | NGINX Plus and NGINX Open Source contain a vulnerability in ngx_http_rewrite_module. The bug is triggered when a rewrite directive is followed by another rewrite, if, or set directive, and an unnamed PCRE capture such as $1 or $2 is used with a replacement string that contains a question mark (?). An unauthenticated attacker can send crafted HTTP requests that cause a heap buffer overflow in the NGINX worker process. |
| Official Impact | The official advisory says the bug may cause the NGINX worker process to restart. It also states that code execution is possible when ASLR is disabled. |
| Severity | F5 CNA scores: CVSS v3.1 8.1 High and CVSS v4.0 9.2 Critical. The nginx.org security advisories page labels the issue severity as medium, so there is an official severity discrepancy between the advisory page and the CNA scoring. |
| Affected Versions | NGINX Open Source: 0.6.27 through 1.30.0.NGINX Plus: R32 through R36. |
| Fixed Versions | NGINX Open Source: 1.30.1 and 1.31.0.NGINX Plus: R36 P4, R35 P2, and R32 P6. |
| Root Cause | NGINX’s rewrite script engine uses a two-pass process: first it computes the output length, then it copies data into the buffer. In the vulnerable path, the rewrite replacement sets is_args = 1 when the replacement contains ?, but the length-calculation pass runs in a freshly zeroed sub-engine where is_args = 0. As a result, the length pass computes the raw capture length, while the copy pass later calls ngx_escape_uri(..., NGX_ESCAPE_ARGS), which can expand escapable characters from 1 byte to 3 bytes and overflow the undersized heap buffer. |
| Trigger Pattern | The vulnerable pattern is a rewrite with unnamed regex captures such as $1 or $2, where the replacement contains ?, followed by rewrite, if, or set. The depthfirst write-up and PoC environment highlight the especially common rewrite + set combination. |
| Example Vulnerable Pattern | nginx<br>location ~ ^/api/(.*)$ {<br> rewrite ^/api/(.*)$ /internal?migrated=true;<br> set $original_endpoint $1;<br>}<br> |
Why ? Matters | The ? in the rewrite replacement causes NGINX to treat the remaining string as query-string related data and sets internal state that changes escaping behavior during the copy pass. This is the key condition that makes the length calculation and copy behavior diverge. |
| Exploitability Conditions | The bug is remote and unauthenticated at the HTTP layer, but exploitation still depends on a vulnerable configuration being present. The official advisory says a crash is possible generally, and RCE becomes possible on systems with ASLR disabled. |
| What the Repo Demonstrates | The repo is an RCE proof of concept for CVE-2026-42945. It builds a vulnerable NGINX environment in Docker, disables ASLR with setarch x86_64 -R, and provides poc.py that can either execute an arbitrary command with --cmd or attempt a reverse shell with --shell. |
| PoC Environment Details | The repo says it was tested on Ubuntu 24.04.3 LTS. Its Docker environment compiles NGINX from source, checks out commit 98fc3bb78, exposes the vulnerable server on port 19321, and runs a simple Python backend on 127.0.0.1:19323. |
| Repo Exploitation Strategy | The repo describes cross-request heap feng shui. It uses the overflow to corrupt an adjacent ngx_pool_t structure’s cleanup pointer. Because URI bytes cannot safely carry arbitrary null-containing pointers, the PoC sprays heap data using POST bodies, placing a fake ngx_pool_cleanup_s structure and command string in memory, then redirects cleanup handling so system() is invoked when the victim pool is destroyed. |
| Key Technical Primitive | The exploit aims to turn a controllable overflow into a cleanup callback hijack by abusing the ngx_pool_t cleanup linked-list mechanism during pool destruction. |
| Why POST Bodies Are Used in the PoC | The write-up explains that request URIs are heavily constrained by URI parsing and escaping, making them unsuitable for arbitrary binary data. The PoC instead uses POST request bodies as a spray mechanism because they can carry raw binary data including null bytes. |
| Visible PoC Mechanics | In poc.py, the spray phase uses repeated POST /spray requests with a long body and X-Delay: 60. The trigger phase sends a crafted GET /api/... request containing a large sequence of characters, including many + characters to maximize expansion by ngx_escape_uri. The script also checks whether the worker crashed or became unresponsive after the trigger. |
| Operational Caveat | The public repo demonstrates RCE only in a lab setup with ASLR disabled. That matches the official advisory, which explicitly says code execution is possible on systems with ASLR disabled. |
| Exposure / Detection Guidance | The most important detection step is configuration review. Search NGINX configs for a rewrite that uses unnamed captures like $1 or $2, where the replacement contains ?, and that is followed by rewrite, if, or set. Any affected NGINX version with that pattern should be treated as exposed until patched or reconfigured. |
| Runtime Symptoms | Officially documented runtime impact includes worker process restart. In a lab context, suspicious behavior would include crafted requests to vulnerable locations causing worker crashes, hangs, or instability. |
| Mitigation | Upgrade to NGINX Open Source 1.30.1 or 1.31.0, or the corresponding NGINX Plus fixed releases. If immediate patching is not possible, remove or refactor the vulnerable configuration pattern so the risky rewrite plus unnamed capture plus ? combination is no longer followed by rewrite, if, or set. |
| Related Issues Disclosed Alongside It | The repo notes that the same automated analysis also found CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934, but this repo specifically targets CVE-2026-42945. |
| References | - https://github.com/DepthFirstDisclosures/Nginx-Rift - https://depthfirst.com/nginx-rift - https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2026-42945 - https://nginx.org/en/security_advisories.html - https://seclists.org/oss-sec/2026/q2/519 |