NGINX heap overflow CVE-2026-42945 enables unauthenticated RCE via rewrite module

A critical heap buffer overflow in NGINX’s ngx_http_rewrite_module, present since 2008, allows unauthenticated remote code execution against servers that use rewrite and set directives. The flaw, tracked as CVE-2026-42945, stems from a two-pass script engine: the sizing pass operates on a freshly zeroed sub-engine where the is_args flag reads as 0, while the copy pass sees is_args set to 1 and invokes ngx_escape_uri with NGX_ESCAPE_ARGS, tripling the length of each escapable byte. The result is a heap buffer sized for raw input but written with expanded, attacker-controlled URI data.

The published proof of concept escalates the overflow to code execution through cross-request heap feng shui. Because URI bytes cannot carry null terminators, the exploit sprays an adjacent ngx_pool_t structure using POST bodies, overwriting its cleanup pointer to reference a forged ngx_pool_cleanup_s that calls system() when the pool is torn down. Three additional memory corruption CVEs (42946, 40701, 42934) were disclosed alongside it.

Notably, all four bugs were surfaced by depthfirst’s autonomous security analysis system after a single onboarding of the NGINX source tree. Given NGINX’s deployment footprint and the absence of authentication requirements, operators running rewrite-heavy configurations should treat patching as urgent.