A critical heap buffer overflow vulnerability has been discovered in the source code of NGINX, present since 2008.
This vulnerability has been publicly disclosed, along with a working proof-of-concept exploit that can enable unauthenticated remote code execution (RCE) against one of the most widely used web servers in the world.
Assigned a CVSS score of 9.2, CVE-2026-42945 resides in NGINX’s ngx_http_rewrite_module.
This engine powers URL rewriting and variable assignment in virtually every modern NGINX deployment.
The bug was first introduced in version 0.6.27, released in 2008, and remained undetected for 18 years across all versions up to 1.30.0.
18-Year-Old NGINX RCE Vulnerability
The flaw is triggered when a configuration uses both rewrite and set directives together, a common pattern in API gateway setups.
NGINX’s internal script engine processes these directives using a two-pass system: the first pass calculates memory length, and the second writes data into the allocated buffer.
The critical flaw lies in a state mismatch between the two passes. When a rewrite directive contains a question mark (?), it permanently sets an is_args = 1 flag on the main script engine.
However, during the first (length calculation) pass, a zeroed-out sub-engine is used, meaning is_args is effectively zero. The length is calculated without accounting for URI escaping.
In the second (copy) pass, the main engine runs with is_args = 1, causing the ngx_escape_uri function to expand each escapable byte from 1 to 3 bytes.
The result: far more data is written to the buffer than was allocated, leading to a classic heap buffer overflow.
Researchers developed a working RCE exploit for systems with ASLR disabled.
The security research firm depthfirst autonomously discovered the vulnerability during an April 2026 code audit that also uncovered three additional memory corruption bugs.
The attack chains heap manipulation, fake cleanup structure spraying via POST bodies, and NGINX’s deterministic multi-process architecture to achieve reliable, repeatable code execution. A public PoC is now available on GitHub.
Three additional CVEs were confirmed alongside the critical flaw:
| CVE | Severity | CVSS | Affected Module | Impact |
|---|---|---|---|---|
| CVE-2026-42945 | Critical | 9.2 | ngx_http_rewrite_module | Heap buffer overflow → RCE |
| CVE-2026-42946 | High | 8.3 | ngx_http_scgi/uwsgi_module | ~1 TB allocation → crash |
| CVE-2026-40701 | Medium | 6.3 | ngx_http_ssl_module | Use-after-free via OCSP |
| CVE-2026-42934 | Medium | 6.3 | ngx_http_charset_module | Out-of-bounds read |
The vulnerability impacts a wide range of F5/NGINX products, including NGINX Open Source 0.6.27–1.30.0, NGINX Plus R32–R36, NGINX Instance Manager, NGINX App Protect WAF, NGINX Gateway Fabric, and NGINX Ingress Controller.
| Product | Affected Versions | Patched Version |
|---|---|---|
| NGINX Plus | R32 – R36 | R36 P1+ / R37+ |
| NGINX Instance Manager | 2.16.0 – 2.21.1 | 2.21.2+ |
| F5 WAF for NGINX | 5.9.0 – 5.12.1 | 5.12.2+ |
| NGINX App Protect WAF | 4.9.0 – 4.16.0 and 5.1.0 – 5.8.0 | 4.16.1+ / 5.8.1+ |
| F5 DoS for NGINX | 4.8.0 | 4.8.1+ |
| NGINX App Protect DoS | 4.3.0 – 4.7.0 | 4.7.1+ |
| NGINX Gateway Fabric | 1.3.0 – 1.6.2 and 2.0.0 – 2.5.1 | 1.6.3+ / 2.5.2+ |
| NGINX Ingress Controller | 3.5.0 – 3.7.2, 4.0.0 – 4.0.1, 5.0.0 – 5.4.1 | 3.7.3+ / 4.0.2+ / 5.4.2+ |
F5 released its official security advisory on May 13, 2026. Administrators should upgrade to NGINX 1.30.1 or 1.31.0 immediately.
Organizations that cannot patch right away should audit configurations for combined rewrite + set directive usage and consider restricting exposed NGINX deployments behind an additional WAFlayer until patching is complete.
