Nginx Rift
A critical heap-based buffer overflow vulnerability, CVE-2026-42945, has been discovered in NGINX software, affecting both open source and commercial versions. The flaw allows unauthenticated remote attackers to crash worker processes or execute arbitrary code via crafted HTTP requests. The vulnerability stems from a configuration-specific issue in the rewrite module involving unnamed regex captures and URI handling.
- ▪CVE-2026-42945 is a critical-severity heap-based buffer overflow in NGINX software with a CVSS v4.0 score of 9.2.
- ▪The vulnerability is triggered by a specific rewrite configuration pattern involving unnamed regex captures and a question mark in the replacement string.
- ▪It affects NGINX Open Source, NGINX Plus, and several F5 products, but not F5's cloud or BIG-IP platforms.
- ▪Remote, unauthenticated attackers can achieve remote code execution or cause denial of service via crafted HTTP requests.
- ▪Mitigation involves upgrading to patched versions or refactoring rewrite rules to use named captures instead of unnamed ones.
Opening excerpt (first ~120 words) tap to expand
CVE-2026-42945 · Heap-based Buffer Overflow · CVSS v4.0 9.2 (Critical) found autonomously by depthfirst NGINX Rift An 18 year old memory corruption flaw in NGINX Plus and NGINX Open Source lets an unauthenticated attacker crash worker processes or execute remote code with crafted HTTP requests. Read the technical writeup $5m to Secure Open Source Software for(const t of document.querySelectorAll(".video-embed")){const e=t.querySelector("video"),o=t.querySelector(".video-embed__play");!e||!o||(o.addEventListener("click",()=>{e.controls=!0,t.classList.add("is-playing"),e.play()}),e.addEventListener("pause",()=>{t.classList.remove("is-playing")}),e.addEventListener("ended",()=>{e.controls=!1,e.currentTime=0,t.classList.remove("is-playing")}))} TL;DR A bug in the ngx_http_rewrite_module lets…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Depthfirst.
Discussion
0 commentsMore from Depthfirst
