Proof-of-concept (PoC) exploit code has been released for a critical vulnerability in the NGINX web server, identified as CVE-2026-42945. With a CVSS score of 9.2, this flaw was addressed by F5 in their latest quarterly patch, marking a significant update 16 years after the vulnerability’s inception.
Understanding CVE-2026-42945
The vulnerability is attributed to a heap buffer overflow in the ngx_http_rewrite_module of NGINX. This flaw poses a risk of causing a denial-of-service (DoS) by restarting the server. Furthermore, remote code execution (RCE) is possible if the Address Space Layout Randomization (ASLR) is not enabled, according to warnings from F5.
Research by Depthfirst highlights that servers using specific rewrite and set directives are susceptible due to a two-pass process in the script engine. This process initially estimates the buffer size and subsequently transfers data, where discrepancies in engine state could result in memory allocation errors.
Exploit Mechanism and Impact
Depthfirst describes how the exploitation involves manipulating the request URI with plus signs, which causes the escaping function to expand the bytes, resulting in an overflow of the allocated memory. The extent of this overflow can be controlled by the attacker, dependent on the number of escapable characters used.
For successful RCE attacks, it is necessary to overwrite all fields within the NGINX memory pool without utilizing null bytes, eventually leading to memory pool destruction. This process involves corrupting memory pointers and redirecting cleanup functions to execute arbitrary code.
Mitigation and Future Outlook
F5 has released patches for the affected NGINX versions, including Plus versions 37.0.0, R36 P4, and R32 P6, along with open-source versions 1.31.0 and 1.30.1. Users are strongly encouraged to update to these versions to mitigate potential security risks.
As cybersecurity threats evolve, staying informed about vulnerabilities and timely patching remains crucial. Organizations should ensure robust security practices to protect against such critical exploits.
Related updates include recent patches for other software vulnerabilities, emphasizing the ongoing need for vigilance in maintaining cybersecurity integrity across systems.
