TL;DR
Researchers have revealed a proof-of-concept for a critical remote code execution vulnerability in Nginx, affecting versions from 0.6.27 to 1.30.0. The flaw stems from a heap buffer overflow in the rewrite module, enabling attackers to execute arbitrary code without authentication.
Security researchers have publicly demonstrated a proof-of-concept exploit for CVE-2026-42945, a critical heap buffer overflow vulnerability in Nginx’s rewrite module, which could allow unauthenticated remote code execution on affected servers.
The vulnerability, identified as CVE-2026-42945, affects Nginx versions from 0.6.27 through 1.30.0. It was discovered through an automated security analysis system developed by depthfirst, which identified the flaw after analyzing the source code. The flaw resides in the rewrite module, which processes server-side URL rewriting rules. The bug allows attackers to craft malicious rewrite rules that trigger a heap buffer overflow during request processing.
Specifically, the vulnerability exploits a flaw in the module’s handling of the ‘is_args’ flag during URI rewriting. When a rewrite rule contains a ‘?’ character, the module’s two-pass process for calculating buffer sizes and copying data can be manipulated to overflow a heap buffer. This overflow enables an attacker to perform cross-request heap feng shui, leading to corruption of adjacent memory structures, including cleanup pointers. Exploiting this, attackers can redirect execution to malicious code, effectively achieving remote code execution without requiring authentication.
Developers have issued patches in version 1.31.0 for open source Nginx and in R36 for Nginx Plus. The vulnerability was tested on Ubuntu 24.04.3 LTS, with proof-of-concept code demonstrating the exploit’s feasibility.
Why It Matters
This vulnerability is highly significant because it affects widely used versions of Nginx, a popular web server and reverse proxy. The ability for attackers to execute arbitrary code remotely without authentication poses a severe security risk, potentially allowing full server compromise. Given Nginx’s prevalence in hosting environments, the flaw could impact a large number of organizations if exploited in the wild.
Security Patch, 2 Pcs Reflective Security Hook and Loop Patch for Vest Printed Letters Embroidery Patches for Officer Guard Custom Uniforms Vest, Jacket, Carrier, Bag, Hat (Black, 1 Small and 1 Large)
【Package Content】The package contains two security patches for vest, one small (5.5 x 2.5 inches) and one large…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
The flaw was introduced in Nginx in 2008 and remained undiscovered until now. The discovery was made by an automated security system that analyzed the source code, highlighting the importance of automated vulnerability detection tools. Previous security issues in Nginx have been less critical, making this find notable for its potential impact. The patches released address the specific memory corruption mechanism, but the details of active exploitation in the wild remain unknown.
“This vulnerability enables unauthenticated remote code execution via a heap buffer overflow in the rewrite module, which has been confirmed through proof-of-concept exploits.”
— depthfirst security team
“A security update has been released in version 1.31.0 to address CVE-2026-42945. Users are advised to upgrade immediately.”
— Nginx developers
Linux Server Security: Tools & Best Practices for Bastion Hosts
Used Book in Good Condition
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is not yet clear whether active exploitation has occurred in the wild or if the vulnerability has been widely exploited since discovery. Details about the full scope of affected deployments are still emerging, and the extent of potential damage remains to be assessed.
CyberScope Edge Network Vulnerability Scanner
Comprehensive site security assessment, analysis & reporting in ONE powerful, portable tool
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Users running vulnerable Nginx versions are strongly advised to update to version 1.31.0 or later. Security researchers and organizations should monitor for signs of exploitation and review their server configurations for exposure. Further analysis may reveal additional attack vectors or related vulnerabilities.
Sophos XGS 116 Webserver Protection – 36 Months (XS1V3CSAA)
Webserver Protection License Includes: Base License, Email Protection, Network Protection and Web Server Protection
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What versions of Nginx are affected by this vulnerability?
The vulnerability affects Nginx open source versions from 0.6.27 through 1.30.0 and Nginx Plus R32 through R36.
How can I protect my servers against this exploit?
Update Nginx to version 1.31.0 or later immediately. Additionally, review your server configurations to minimize exposure and monitor logs for unusual activity.
Has this vulnerability been exploited in the wild?
There is currently no confirmed evidence of active exploitation, but the proof-of-concept demonstrates the exploit’s feasibility, raising concern for potential future attacks.
What is the technical basis of this vulnerability?
It involves a heap buffer overflow caused by the handling of rewrite rules containing ‘?’ characters, leading to memory corruption and remote code execution.
