Technical particulars and proof-of-concept (PoC) exploit code concentrating on a newly patched critical-severity vulnerability in NGINX at the moment are obtainable.
Tracked as CVE-2026-42945 (CVSS rating of 9.2), the problem was patched within the extensively used net server this week as a part of F5’s newest quarterly patch launch, 16 years after it was launched.
The bug is described as a heap buffer overflow within the ngx_http_rewrite_module part that might be exploited to set off a restart, making a denial-of-service (DoS) situation.
Distant code execution (RCE) can be attainable if Handle House Format Randomization (ASLR) is disabled, F5 warned.
In line with Depthfirst, CVE-2026-42945 impacts NGINX servers utilizing rewrite and set directives and is rooted in using a two-pass course of within the script engine: one to compute the required buffer measurement, and the opposite to repeat information.
As a result of the inner engine state modifications between the 2 passes, if a rewrite alternative that incorporates a query mark (“?”) is used, an unpropagated flag causes an undersized buffer allocation, resulting in attacker-controlled escaped URI information to be written previous the heap boundary.
“By padding the request URI with plus indicators, we are able to power the escaping operate to broaden every byte into three bytes, overflowing the allotted chunk. The scale of the overflow is totally underneath our management primarily based on the variety of escapable characters we offer,” Depthfirst notes.
As a result of null bytes can’t be used for the overflow, reaching RCE requires overwriting all fields within the NGINX reminiscence pool till the goal pointer, then destroying the pool as quickly because the pool header corruption happens, with out crashing the employee course of, the cybersecurity agency says.
“Exploitation makes use of cross-request heap feng shui to deprave an adjoining ngx_pool_t’s cleanup pointer (sprayed by way of POST our bodies, since URI bytes can’t comprise null bytes), redirecting it to a pretend ngx_pool_cleanup_s invoking system() on pool destruction,” Depthfirst explains.
F5 patched the vulnerability in NGINX Plus variations 37.0.0, R36 P4, and R32 P6, and in NGINX open supply variations 1.31.0 and 1.30.1.
