Share
## https://sploitus.com/exploit?id=C1FE5C56-3FCE-56DA-AA3A-8F800CE8CBB1
# NGINX Rift

RCE Proof of concept for **CVE-2026-42945**, a critical heap buffer overflow in NGINX's `ngx_http_rewrite_module` introduced in 2008. The bug enables unauthenticated remote code execution against servers using `rewrite` and `set` directives.

This vulnerability โ€” along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) โ€” was autonomously discovered by [depthfirst](https://depthfirst.com)'s security analysis system after a single click of onboarding the NGINX source.


## The Bug (TL;DR)

NGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in. The `is_args` flag is set on the main engine when a `rewrite` replacement contains `?`, but the length-calculation pass runs on a freshly zeroed sub-engine. So:

- **Length pass** sees `is_args = 0` โ†’ returns raw capture length.
- **Copy pass** sees `is_args = 1` โ†’ calls `ngx_escape_uri` with `NGX_ESCAPE_ARGS`, expanding each escapable byte to 3 bytes.

The copy overflows the undersized heap buffer with attacker-controlled URI data. Exploitation uses cross-request heap feng shui to corrupt an adjacent `ngx_pool_t`'s `cleanup` pointer (sprayed via POST bodies, since URI bytes can't contain null bytes), redirecting it to a fake `ngx_pool_cleanup_s` invoking `system()` on pool destruction.

Read more about this bug in our https://t.me/p3Nt3st3rsTAr

## Affected & Fixed Versions

| Product | Affected | Fixed in |
| --- | --- | --- |
| NGINX Open Source | 0.6.27 โ€“ 1.30.0 | 1.31.0, 1.30.1 |
| NGINX Plus | R32 โ€“ R36 | R36 P4, R35 P2, R32 P6 |

Full vendor advisory: 

## Usage

Tested on Ubuntu 24.04.3 LTS.

1. `./setup.sh` โ€” build the container.
2. `docker compose -f env/docker-compose.yml up` โ€” start the vulnerable NGINX server.
3. `python3 poc.py --shell` โ€” pop a shell.