NGINX Rift: Dissecting an 18-Year-Old Critical RCE Vulnerability (CVE-2026-42945)
Published: May 14, 2026
Target Audience: Security Analysts, SOC Engineers, and Vulnerability Researchers
Yesterday, the researchers at DepthFirst AI unveiled a startling discovery: a critical memory corruption vulnerability hiding in plain sight within NGINX's codebase since 2008. Tracked as CVE-2026-42945 (CVSS 9.2), this heap buffer overflow allows unauthenticated attackers to achieve Remote Code Execution (RCE) on affected NGINX servers.
Given NGINX's position as a global internet edge router and reverse proxy—powering nearly a third of all websites—this is a vulnerability that security teams must immediately evaluate.
In this post, we'll break down the technical root cause of the flaw, dissect the elegant exploit chain crafted by the researchers, and provide a TTP matrix for threat analysts looking to model this attack path.
The Trigger: When rewrite meets set
The vulnerability lives within the ngx_http_rewrite_module. It specifically impacts environments where the rewrite and set directives are used in tandem—a common configuration pattern for API gateways handling legacy routing.
The issue triggers when:
- A
rewritedirective replaces the URI and introduces a query string (by appending a?). - A subsequent
setdirective is used to capture a regex group (e.g.,$1) from the original path.
A Vulnerable Configuration Example:
location ~ ^/api/(.*)$ {
rewrite ^/api/(.*)$ /internal?migrated=true;
set $original_endpoint $1;
}
Deep Dive: The Two-Pass State Mismatch
Under the hood, NGINX's script engine handles these configuration directives via a heavily optimized two-pass operation. First, it calculates the exact memory required. Second, it allocates the chunk and copies the data over.
A catastrophic desynchronization occurs between these two passes.
When the rewrite directive is parsed with a question mark, the internal script engine (e) flags that arguments are present by permanently setting e->is_args = 1.
However, when the subsequent set directive evaluates the length of the capture group (Pass 1), it uses a newly initialized, completely zeroed-out sub-engine (le). Because le.is_args == 0, the length calculation completely ignores the need for character escaping, returning the raw, unescaped string length.
During the actual memory copy (Pass 2), the function reverts to using the main engine (e), where e->is_args is still set to 1. The logic dictates that URI characters like + or & must be escaped via ngx_escape_uri, which expands a single character into three bytes (e.g., %2B).
The result? The copy operation writes significantly more data than was calculated in the first pass, resulting in a controllable heap buffer overflow past the bounds of the allocated memory pool.
The Exploit Path: Heap Feng Shui and POST Spraying
Turning an unpredictable heap smash into unauthenticated RCE involves bypassing several intense constraints. DepthFirst's exploit chain is a masterclass in modern exploitation techniques.
1. Overwriting ngx_pool_t
NGINX relies on memory pools managed by the ngx_pool_t structure. The attacker's goal is to overwrite the cleanup pointer located at offset 64 in this structure, redirecting execution flow when the pool is destroyed.
2. Constraint: The Contiguous Corruption Crash
Because the heap overflow is contiguous, reaching offset 64 means overwriting critical intermediate metadata (d, max, current, chain, etc.). If the worker process attempts to do anything with the connection afterward, it will dereference these corrupted pointers and crash prematurely, dropping the exploit.
The Solution: The researchers utilized cross-request Heap Feng Shui. By opening two subsequent connections, the attacker coerces the allocator into placing the victim pool directly adjacent to the attacker's request pool. After sending the payload to overflow from Pool A into Pool B's header, the attacker immediately drops Connection B. This abruptly triggers ngx_destroy_pool(), which happily executes the hijacked cleanup pointer before it touches any of the corrupted intermediate allocator metadata.
3. Constraint: URI-Safe Payloads vs. Null Bytes
The payload generating the overflow is processed by a URI parser, meaning injected pointers cannot contain null bytes.
The Solution: Attackers can spray the NGINX heap using raw HTTP POST request bodies. Because POST payloads are treated as raw binary streams, they can contain arbitrary binary pointers, including null bytes. The attackers spray thousands of fake ngx_pool_cleanup_s objects (configured to invoke the system() function from libc) across predictable memory offsets. Finally, they use their URI-safe payload to merely overwrite the lower bytes of the cleanup pointer, hooking it directly into the sprayed structures.
Due to NGINX's multi-worker architecture, if an attempt fails and the worker crashes, the master process spawns a new worker with an identical memory layout, giving the attacker infinite, deterministic retries to bypass ASLR.
Threat Intelligence: TTP Matrix
For SOC analysts and threat hunters tracking potential exploit attempts against this vulnerability, we have mapped the attack path to the MITRE ATT&CK® framework:
| Tactic | Technique ID | Technique Name | Description |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Sending crafted HTTP requests with URI-safe padding (+ characters) to trigger the ngx_escape_uri heap buffer overflow. |
| Execution | T1059.004 | Command and Scripting Interpreter: Unix Shell | Invoking the system() function via hijacked cleanup routines to execute arbitrary shell commands inside the NGINX worker. |
| Defense Evasion | T1574 | Hijack Execution Flow | Overwriting the cleanup pointer inside the ngx_pool_s memory management structure to redirect execution to malicious code. |
| Defense Evasion | T1001 | Data Obfuscation | Embedding malicious pointer structures containing null bytes inside raw POST request bodies to bypass URI-character filtering restrictions. |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Gaining unauthorized code execution in the context of the NGINX child worker process (typically www-data or nginx). |
Affected Versions & Remediation
This 18-year-old vulnerability spans a massive amount of historical and modern NGINX deployments. Affected distributions include:
- NGINX Open Source:
0.6.27through1.30.0 - NGINX Plus:
R32throughR36 - NGINX Ingress Controller:
3.5.0–3.7.2,4.0.0–4.0.1, and5.0.0–5.4.1 - NGINX App Protect (WAF/DoS): Various versions
- NGINX Gateway Fabric:
1.3.0–1.6.2and2.0.0–2.5.1
Mitigation
F5 released an official security advisory and patches on May 13, 2026. Organizations are heavily urged to patch immediately. As a temporary workaround, carefully review your configuration files for locations combining rewrite directives containing query parameters with set directives.
Stay tuned to ThreatLandscape.io for further technical breakdowns of emerging threats.
Sources: