BestHub
Sign in
Information Security 5 min read

A 18‑Year‑Old Nginx RCE Flaw Finally Exposed (CVE‑2026‑42945)

Depthfirst’s AI tool Rift uncovered a critical heap‑buffer‑overflow vulnerability (CVE‑2026‑42945) in Nginx’s ngx_http_rewrite_module that has been present for 18 years, allowing unauthenticated attackers to trigger denial‑of‑service or potential remote code execution, affecting versions 0.6.27‑1.30.0 and fixed in 1.30.1/1.31.0.

Black & White Path
Black & White Path
Black & White Path
A 18‑Year‑Old Nginx RCE Flaw Finally Exposed (CVE‑2026‑42945)

On May 13, 2026, the security firm Depthfirst used its AI‑assisted scanner “Rift” to discover a severe heap‑buffer‑overflow vulnerability (CVE‑2026‑42945, CVSS 9.2) in the ngx_http_rewrite_module of Nginx. The flaw has existed for roughly 18 years, from version 0.6.27 up to 1.30.0.

Vulnerability Mechanics

The bug is triggered when an Nginx configuration contains both the set and rewrite directives and the rewrite replacement string includes the literal ? character. Under these conditions the module performs an out‑of‑bounds write on the heap.

Core trigger conditions :

Presence of a set + rewrite directive pair.

The rewrite replacement string contains ?.

Exploiting the condition requires only a crafted HTTP request; no authentication or user interaction is needed.

Potential Impact

Denial of Service – the most reliable outcome: the worker process crashes immediately.

Potential Remote Code Execution – in specially tuned environments, precise heap‑layout manipulation can lead to arbitrary code execution.

Because Nginx powers roughly one‑third of all web servers worldwide, the vulnerability has a very broad attack surface. The exploit is low‑difficulty and can be automated.

Discovery Background

Depthfirst’s “Rift” performed systematic code analysis of the Nginx rewrite module, which had not undergone a deep memory‑safety review since 2008. The AI‑driven audit identified the unsafe string handling that leads to the overflow.

Mitigation and Remediation

Follow these steps to protect your deployment:

Check the installed Nginx version: nginx -v Search for high‑risk configurations:

# Search for set + rewrite combinations
grep -rn "rewrite\|set" /etc/nginx/ | grep -i "rewrite.*?"

Focus on rewrite rules whose replacement string contains ?.

Upgrade immediately to a patched release:

# Debian/Ubuntu
apt update && apt install nginx
# RHEL/CentOS
yum update nginx

Patched versions are Nginx 1.30.1 (stable branch) or Nginx 1.31.0 (mainline) and later.

Apply temporary mitigations before upgrading:

Remove or comment out any rewrite rules whose replacement contains ?.

Enable a Web Application Firewall (WAF) to rate‑limit abnormal HTTP requests.

Restrict the system privileges of the worker process to limit lateral movement if RCE occurs.

Nginx configuration inspection and upgrade flow
Nginx configuration inspection and upgrade flow
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

NGINXRemote Code ExecutionAI-assisted Vulnerability DiscoveryCVE-2026-42945Heap Buffer Overflow
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment