A critical heap buffer overflow vulnerability has been discovered in the source code of NGINX, present since 2008.<\/p>\n
This vulnerability has been publicly disclosed, along with a working proof-of-concept exploit that can enable unauthenticated remote code execution (RCE) against one of the most widely used web servers in the world.<\/p>\n
Assigned a CVSS score of 9.2,\u00a0CVE-2026-42945\u00a0resides in NGINX\u2019s\u00a0ngx_http_rewrite_module.<\/p>\n
This engine powers URL rewriting and variable assignment in virtually every modern NGINX deployment.<\/p>\n
The bug was first introduced in version 0.6.27, released in\u00a02008, and remained undetected for 18 years across all versions up to 1.30.0.<\/p>\n
18-Year-Old NGINX RCE Vulnerability<\/strong><\/h2>\nThe flaw is triggered when a configuration uses both\u00a0rewrite\u00a0and\u00a0set\u00a0directives together, a common pattern in API gateway setups.<\/p>\n
NGINX\u2019s internal script engine<\/a> processes these directives using a\u00a0two-pass system: the first pass calculates memory length, and the second writes data into the allocated buffer.<\/p>\nThe critical flaw lies in a state mismatch between the two passes. When a\u00a0rewrite\u00a0directive contains a question mark (?), it permanently sets an\u00a0is_args = 1\u00a0flag on the main script engine.<\/p>\n
However, during the first (length calculation) pass, a zeroed-out sub-engine is used, meaning\u00a0is_args\u00a0is effectively zero. The length is calculated without accounting for URI escaping.<\/p>\n![\"NGINX](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgERSnm1wpSJLa9ZFL7IgwLKj1nLEkmwcRdmFe32pAExQLRcmpZD16oVbZkyDRI34dNzUjx-7q17ojIUV8wliw5ZTRnOAI62MlYWbdpn8oBWjoDCHXPWIiBZfeH5lblBFnH4GcGQaDhcowEcIdXE5wIy8BcMXOcgI7hRMa0CPoRkiPNBdhIiMlbliSd4J8\/s1600\/Screenshot%25202026-05-14%2520114347%2520%25281%2529.webp?ssl=1\")
NGINX Hit by 4 Memory Flaws (source:depthfirst)<\/figcaption><\/figure>\nIn the second (copy) pass, the main engine runs with\u00a0is_args = 1, causing the\u00a0ngx_escape_uri\u00a0function to\u00a0expand each escapable byte from 1 to 3 bytes.<\/p>\n
The result: far more data is written to the buffer than was allocated, leading to a classic heap buffer overflow.<\/a><\/p>\nResearchers developed a working RCE exploit for systems with ASLR disabled.<\/p>\n
The critical flaw lies in a state mismatch between the two passes. When a\u00a0rewrite\u00a0directive contains a question mark (?), it permanently sets an\u00a0is_args = 1\u00a0flag on the main script engine.<\/p>\n
However, during the first (length calculation) pass, a zeroed-out sub-engine is used, meaning\u00a0is_args\u00a0is effectively zero. The length is calculated without accounting for URI escaping.<\/p>\n In the second (copy) pass, the main engine runs with\u00a0is_args = 1, causing the\u00a0ngx_escape_uri\u00a0function to\u00a0expand each escapable byte from 1 to 3 bytes.<\/p>\n The result: far more data is written to the buffer than was allocated, leading to a classic heap buffer overflow.<\/a><\/p>\n Researchers developed a working RCE exploit for systems with ASLR disabled.<\/p>\n