## https://sploitus.com/exploit?id=77A888D9-B099-5175-B433-C9C18FEA6B1B
# 5. CVE-2026-42945 - Critical NGINX RCE (CVSS 9.2)
## Classification
- **Category:** 0-Day / Remote Code Execution
- **CVE:** CVE-2026-42945
- **CVSS:** 9.2 (Critical)
- **Date Discovered:** May 12, 2026
- **Date Patched:** May 2026 (F5 quarterly security release)
- **Source:** GitHub (DepthFirstDisclosures/Nginx-Rift)
## Vulnerability Details
A **heap buffer overflow** in NGINX's `ngx_http_rewrite_module` component that was introduced in **2008** -- meaning it existed for **16 years** before discovery.
- **Affected versions**: NGINX Open Source 0.6.27 - 1.30.0
- **Fixed in**: NGINX 1.31.0, 1.30.1
- **Also affects**: NGINX Plus R32 - R36
### Root Cause
The vulnerability is in the **two-pass script engine**:
1. **Pass 1**: Compute required buffer size
2. **Pass 2**: Copy data into the buffer
The problem: **internal engine state changes between the two passes**. When a rewrite replacement contains a `?` (question mark), an **unpropagated flag** causes an undersized buffer allocation, allowing attacker-controlled escaped URI data to overflow the heap boundary.
### Exploitation Mechanics
```python
# Conceptual: padding request URI with '+' signs forces
# the escaping function to expand each byte into three bytes,
# overflowing the allocated chunk. The overflow size is
# fully controlled by the number of escapable characters.
```
To achieve RCE (bypassing ASLR):
1. Cross-request **heap feng shui** via POST body sprays
2. Corrupt adjacent `ngx_pool_t` cleanup pointer
3. Redirect to fake `ngx_pool_cleanup_s` invoking `system()` on pool destruction
Related CVEs discovered by the same system: CVE-2026-42946, CVE-2026-40701, CVE-2026-42934
## PoC Availability
- **Repository**: `DepthFirstDisclosures/Nginx-Rift` on GitHub
- **Stars**: 786 (as of discovery)
- **Language**: Python (92.6%), Shell (7.4%)
- **Status**: Functional proof-of-concept
- **Tested on**: Ubuntu 24.04.3 LTS
## Discovery Method
This vulnerability was **autonomously discovered** by DepthFirst's security analysis system after a **single click** of onboarding the NGINX source code -- highlighting the power of automated vulnerability discovery.
## Mitigation
- Update NGINX Open Source to **1.31.0 or 1.30.1**
- Update NGINX Plus to **R36 P4, R35 P2, or R32 P6**
- If patching is delayed, disable rewrite directives with `?` in replacements
## Where to Find
- **PoC**: https://github.com/depthfirstdisclosures/nginx-rift
- **Security advisory**: F5 security bulletin
- **Analysis**: SecurityWeek, DepthFirst disclosure