Public RCE proof-of-concept for CVE-2026-42945, a heap buffer overflow in NGINX’s ngx_http_rewrite_module present since 2008, affecting all versions through 1.30.0.
Key Takeaways
Root cause: two-pass script engine computes buffer length with is_args=0 but copies with is_args=1, causing ngx_escape_uri to expand bytes 3x, overflowing a heap buffer with attacker-controlled URI data.
Exploitation uses cross-request heap feng shui to corrupt an adjacent ngx_pool_t cleanup pointer, redirecting it to invoke system() on pool destruction.
Precondition: config must use a rewrite directive with ? in the replacement string and a subsequent set directive referencing an unnamed capture group ($1, $2).
Fixed in NGINX Open Source 1.31.0 / 1.30.1 and NGINX Plus R36 P4, R35 P2, R32 P6; F5 advisory at K000160932.
Three additional memory corruption CVEs (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) were found in the same NGINX audit.
Hacker News Comment Review
The published PoC disables ASLR, but commenters warn this understates the risk: worker processes are forked from master, sharing memory layout, enabling unlimited crash loops that could serve as a read oracle or reliable DoS.
Consensus mitigation while patching: replace unnamed captures ($1, $2) with named captures in rewrite directives; unaffected if rewrite+set with unnamed captures and ? are absent from your config.
A segment of commenters pushed back on dismissing severity due to ASLR, noting ASLR is defense-in-depth and the full writeup claims a reliable bypass exists.
Notable Comments
@RagingCactus: “ASLR is a defense-in-depth technique” – argues treating the published PoC’s ASLR-off assumption as the ceiling of attacker capability is dangerously wrong.
@linkregister: Notes forked worker architecture means unlimited crash attempts against a fixed memory layout, making a read oracle plausible even with ASLR enabled.
