A critical heap buffer overflow vulnerability, identified as CVE-2026-42945, was discovered in NGINX's ngx_http_rewrite_module. This vulnerability allows unauthenticated attackers to execute remote code on servers using rewrite and set directives. The bug has existed since the module's introduction in 2008 [1].
The flaw arises from mismatched buffer size calculations in NGINX's script engine. The length pass underestimates the buffer size, causing a heap overflow during the subsequent copy pass when the is_args flag is set. Attackers exploit this by manipulating memory pools through cross-request heap feng shui techniques, corrupting adjacent cleanup pointers that trigger system() calls upon pool destruction [1].
DepthFirst's security analysis system autonomously discovered this flaw while scanning the NGINX source with minimal human intervention. Alongside CVE-2026-42945, three other related memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) were identified in the same process [1].
The vulnerabilities and an exploit proof of concept were tested on Ubuntu 24.04.3 LTS, demonstrating the impact on current stable environments [1]. A full technical write-up and a vendor advisory are publicly available on the F5 website for developers and administrators to review and mitigate the risk [1].
DepthFirst announced the discovery of the multiple critical memory errors in May 2026 [1]. Server operators running NGINX with rewrite and set directives should apply patches or mitigation steps outlined in the advisory promptly to prevent exploitation.
