A significant vulnerability in NGINX has come to light, potentially enabling remote code execution if exploited. This flaw, present since 2008, has been assigned a high CVSS score of 9.2, indicating its severity and critical nature. The issue, identified as CVE-2026-42945, resides within NGINX’s ngx_http_rewrite_module.
Details of the Vulnerability
The vulnerability stems from a heap buffer overflow problem, which occurs when specific directives are used together in configurations. This issue has persisted undetected for 18 years, affecting all NGINX versions from 0.6.27 to 1.30.0. The flaw is activated when both rewrite and set directives are employed, a setup frequently found in API gateway configurations.
NGINX’s script engine processes these directives in two stages. In the first stage, memory length is calculated, and in the second, data is written to the buffer. A discrepancy in state between these stages leads to the overflow. Specifically, a rewrite directive with a question mark permanently sets an is_args = 1 flag, while the initial pass uses a zeroed-out sub-engine, causing a mismatch and resulting in a buffer overflow.
Security Implications and Exploits
The security research firm depthfirst discovered this vulnerability independently during a code audit in April 2026. The firm also identified three other memory-related vulnerabilities. The vulnerability chain exploits heap manipulation and other techniques to achieve reliable and repeatable code execution, with a proof-of-concept exploit now publicly available.
Alongside CVE-2026-42945, three other vulnerabilities were disclosed, affecting different modules of NGINX. These include a high-severity vulnerability with a CVSS score of 8.3 and two medium-severity vulnerabilities with scores of 6.3. These vulnerabilities impact various F5/NGINX products, including NGINX Plus and NGINX App Protect WAF, among others.
Recommended Actions
F5 Networks has issued a security advisory, urging administrators to update to NGINX version 1.30.1 or 1.31.0 to mitigate these risks. For organizations unable to implement patches immediately, it is recommended to audit server configurations, particularly those using both rewrite and set directives. Additionally, placing NGINX deployments behind a Web Application Firewall (WAF) can add an extra layer of protection until updates are applied.
As cyber threats evolve, it is crucial to stay informed about vulnerabilities and apply security patches promptly. Ensure your systems are up-to-date to protect against potential exploits.
