A remote code execution vulnerability has been discovered in NGINX; the affected versions are listed below.

Security firm DepthFirst has reportedly detected multiple vulnerabilities in the source code of the web server software 'NGINX' after feeding it into their analysis system, including four memory corruption issues. In particular, vulnerability 'CVE-2026-42945,' which could lead to remote code execution, is said to be a heap buffer overflow that appeared in 2008 and 'had been overlooked for nearly 18 years.'

GitHub - DepthFirstDisclosures/Nginx-Rift: exploit for CVE-2026-42945 · GitHub

CVE-2026-42945 occurs when a rewrite directive is followed by any of the following directives in the NGINX configuration: a rewrite directive, an if directive, or a set directive, and a replacement string containing an unnamed PCRE capture group such as '$1' or '$2' and a question mark '?'. The rewrite directive is used to rewrite an accessed URL to another URL, and the set directive is used to put a value into a temporary variable. For example, it is used to 'move the old API URL to the new API URL while keeping the original access destination for logging or backend processing.'

Technically, the problem stems from the fact that NGINX's internal scripting engine operates in two stages: 'calculating the required amount of memory' and 'actually copying the string.' The initial calculation process does not correctly account for the possibility that some characters in the URL may become longer due to escaping, and the subsequent copy process writes the longer, escaped string. As a result, data larger than the allocated memory area is written, causing a heap buffer overflow. A heap buffer overflow is a problem where a program writes data outside the memory area allocated during operation, which can lead to crashes or arbitrary code execution.

CVE-2026-42945 suggests that an unauthenticated attacker could send a crafted HTTP request that could cause a heap buffer overflow in an NGINX worker process, potentially leading to a process restart. Furthermore, it is reported that code execution would be possible on systems where Address Space Layout Randomization (ASLR), a defense mechanism that randomizes the memory locations used by programs to make attacks less successful, is disabled.

Note that there are differences in how the severity of the vulnerability is indicated. In the official NGINX security advisory, the severity of CVE-2026-42945 is listed as 'medium,' but in the NVD vulnerability database operated by the US government agency NIST , it is recorded as 9.2 with a CVSS 4.0 base score and a severity of 'CRITICAL,' and as 8.1 with a CVSS 3.1 base score and a severity of 'HIGH.' It is treated as a vulnerability that requires certain conditions to be exploited, but when those conditions are met, it can have a significant impact.

DepthFirst has published proof-of-concept code demonstrating remote code execution in environments where ASLR is disabled, explaining that it 'enables unauthenticated remote code execution against servers using rewrite and set directives.' If you are using an affected version of NGINX in production, you should first consider updating to NGINX Open Source 1.30.1 or 1.31.0 or later, and also check whether 'combinations of rewrite directives, set directives, unnamed capture groups, and substitution strings containing question marks exist in your configuration.'