"Tracked as CVE-2026-42945 (CVSS score of 9.2), the issue was patched in the widely used web server this week as part of F5's latest quarterly patch release, 16 years after it was introduced. The bug is described as a heap buffer overflow in the ngx_http_rewrite_module component that could be exploited to trigger a restart, creating a denial-of-service (DoS) condition. Remote code execution (RCE) is also possible if Address Space Layout Randomization (ASLR) is disabled, F5 warned."
"According to Depthfirst, CVE-2026-42945 impacts NGINX servers using rewrite and set directives and is rooted in the use of a two-pass process in the script engine: one to compute the required buffer size, and the other to copy data. Because the internal engine state changes between the two passes, if a rewrite replacement that contains a question mark ("?") is used, an unpropagated flag causes an undersized buffer allocation, leading to attacker-controlled escaped URI data to be written past the heap boundary."
""By padding the request URI with plus signs, we can force the escaping function to expand each byte into three bytes, overflowing the allocated chunk. The size of the overflow is completely under our control based on the number of escapable characters we provide," Depthfirst notes. Because null bytes cannot be used for the overflow, achieving RCE requires overwriting all fields in the NGINX memory pool until the target pointer, then destroying the pool as soon as the pool header corruption occurs, without crashing the worker process, the cybersecurity firm says."
""Exploitation uses cross-request heap feng shui to corrupt an adjacent ngx_pool_t's cleanup pointer (sprayed via POST bodies, since URI bytes can't contain null bytes), redirecting it to a fake ngx_pool_cleanup_s invo""
CVE-2026-42945 is a critical-severity NGINX vulnerability with a CVSS score of 9.2, patched in a recent F5 quarterly release. The flaw is a heap buffer overflow in the ngx_http_rewrite_module that can be exploited remotely to trigger a restart and cause denial-of-service. Remote code execution is possible when Address Space Layout Randomization is disabled. The issue affects NGINX configurations using rewrite and set directives. The vulnerability stems from a two-pass script engine process that first computes buffer size and then copies data, while internal engine state changes between passes. Using a rewrite replacement containing a question mark can lead to an undersized buffer allocation and attacker-controlled escaped URI data written past the heap boundary. Exploitation can be performed by padding the request URI with plus signs to expand escaped bytes and control overflow size, with RCE requiring careful heap manipulation to overwrite memory pool fields and corrupt adjacent cleanup pointers.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]