Ddos 
Security researcher Zhenpeng (Leo) Lin of depthfirst has unveiled a critical, 18-year-old vulnerability lurking within NGINX. The flaw, tracked as CVE-2026-42945 (CVSS 9.2), is a deterministic heap buffer overflow that allows an unauthenticated attacker to crash worker processes or, more alarmingly, achieve Remote Code Execution (RCE).
Given that NGINX sits in front of a massive portion of the public internet, the implications are staggering. Most concerningly, the proof-of-concept (PoC) exploit code is now publicly available on GitHub, making immediate remediation a top priority for global IT teams.
The vulnerability resides in the ngx_http_rewrite_module, a core component used in almost every standard NGINX build. The issue arises from a logic failure in NGINX’s internal script engine, which uses a two-pass process to handle URI rewrites: first calculating the required memory length, then copying the data.
The analysis explains that a heap buffer overflow occurs because “the internal engine state changes between these two passes”. Specifically, when a rewrite directive contains a question mark, it permanently sets an internal flag (is_args). A subsequent set directive then calculates the memory length assuming no escaping is needed, but the actual write operation—still seeing the flag—applies URI escaping that expands the data.
As Lin describes the mechanical failure: “The destination buffer ‘pos’ was allocated with raw_size, but ngx_escape_uri expands the characters and writes the much larger raw_size + 2*N bytes directly into it!”.
Despite NGINX’s robust multi-process architecture, this design actually aids the attacker. Because worker processes are forked from a master process, “the memory space is duplicated exactly for every child worker,” making the heap layout entirely deterministic.
If an exploit attempt crashes a worker, the master process simply spawns a new one with the identical memory layout, allowing an attacker to safely try multiple times. To achieve code execution, Lin demonstrated a “cross request heap feng shui” technique to overwrite the cleanup pointer in a target memory pool, eventually triggering the system() function to execute arbitrary commands.
The “trigger” for this 18-year-old bug is a common configuration pattern: a rewrite directive with an unnamed regex capture ($1, $2) and a replacement string containing a question mark, followed by another rewrite, if, or set directive.
Affected Products include:
- NGINX Open Source: Versions 0.6.27 through 1.30.0.
- NGINX Plus: R32 through R36.
- Ancillary Products: NGINX Instance Manager, Gateway Fabric, and Ingress Controller are also impacted.
The source code of the proof of concept is available on GitHub repository.
The recommended course of action is an immediate upgrade to a patched version, such as NGINX Open Source 1.31.0 or 1.30.1.
The bug is only reachable when unnamed PCRE captures are used in the vulnerable pattern. Defenders should “replace unnamed captures ($1, $2) with named captures in every affected rewrite directive”.
Vulnerable pattern:
Mitigated pattern:
With the exploit code public and the vulnerability reachable from the internet without authentication, the time to audit your NGINX configurations is now.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
