Critical Nginx RCE Vulnerability CVE-2026-42945 Discovered
Original: New Nginx Exploit
Why This Matters
Critical RCE in widely-used Nginx affects servers with rewrite configurations globally
Security researchers disclosed CVE-2026-42945, a critical heap buffer overflow in Nginx's rewrite module from 2008 that enables unauthenticated remote code execution. The vulnerability was autonomously discovered by DepthFirst's analysis system.
CVE-2026-42945 is a critical heap buffer overflow vulnerability in Nginx's ngx_http_rewrite_module that has existed since 2008. The flaw enables unauthenticated remote code execution against servers using rewrite and set directives. DepthFirst Disclosures published a proof-of-concept exploit on GitHub. The vulnerability stems from Nginx's two-pass script engine process where the is_args flag is set on the main engine when a rewrite replacement contains '?', but the length-calculation pass runs on a freshly zeroed sub-engine, causing a buffer size miscalculation. This is one of four memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) discovered by DepthFirst's automated security analysis system.