Share
## https://sploitus.com/exploit?id=CED8F6B1-8F4A-5CA0-9406-3E0DD1C64695
# CVE-2026-42945 Actual Risk Assessment Scripts

Native risk assessment tool for **CVE-2026-42945** (Nginx Rift). Instead of just telling you that "the affected version is dangerous", this script goes through the three conditions that actually determine risk, layer by layer, and comes up with a conclusion that matches your actual situation.

---

## Background

CVE-2026-42945 is an 18-year-old heap buffer overflow vulnerability (CWE-122) in the nginx `ngx_http_rewrite_module` with a CVSS 4.0 rating of 9.2. However, the bulletin has a key qualification:

> *"Code execution possible on systems without ASLR protection "*.

Three conditions need to be met simultaneously for an RCE to be established:

1. nginx is configured with a specific combination of `rewrite` + `set` directives. 2.
2. nginx is configured with a specific `rewrite` + `set` directive combination.
3. nginx heap address bytes are all URI-safe.

Without any of these, the worst that can happen is that the worker process crashes and is automatically restarted (DoS), rather than the server being taken over.

For a detailed analysis, see: ["nginx has been hiding a bomb for 18 years, did the 9.2-point vulnerability blow up your server or not?"]] (#)

---

## Quick facts

```bash
## Download the script
curl -sO https://raw.githubusercontent.com/YOUR_USERNAME/YOUR_REPO/main/check_cve_2026_42945.sh

# Run it (requires sudo to read the full nginx configuration)
sudo bash check_cve_2026_42945.sh
``

---

## Detecting items

The script checks the following four items in turn, and any one that is not satisfied exits early and gives a conclusion:

| Detection Items | Description |
|--------|------|
| nginx version | Affected range: 0.6.27 - 1.30.0 |
| Vulnerability Trigger Configuration | Concurrent `rewrite`s with `? | ASLR Status | ASLR Status | ASLR Status | ASLR Status | ASLR Status | ASLR Status
| ASLR Status | Read `/proc/sys/kernel/randomize_va_space` | Compilation Hardening | Detecting
| Compile Hardening | Detect `-fcf-protection` / `FORTIFY_SOURCE` / Full RELRO / Stack Protection |

---

## Sample output

**Scenario 1: Version affected but no vulnerability triggering configuration (most common)**

``
[*] nginx version: 1.24.0
[!] Version 1.24.0 is in the affected range, continue checking for trigger conditions...
[*] Scanning nginx configuration (checking for rewrite+set vulnerability configuration combinations)...
[โœ“] Vulnerability trigger configurations not found (rewrite+set combo)

Conclusion: version affected, but no vulnerability-triggering configurations, very low actual risk.
Recommendation: Plan to upgrade to 1.30.1 / 1.31.0, no need for urgency!
``

**Scenario 2: Vulnerable configurations, ASLR on, compilation hardening perfected

```
[!] Version 1.24.0 is in the affected scope, continue checking for trigger conditions...
[!] Vulnerability trigger configuration found:
โ†’ location ~ ^/api/(. *)$ {
[โœ“] ASLR enabled (level 2, full randomization)
โ†’ RCE prerequisites for reliable exploitation not met, worst case worker process crash (DoS)
[โœ“] -fcf-protection detected (Intel CET control flow protection)
[โœ“] FORTIFY_SOURCE=3 detected
[โœ“] Full RELRO detected (GOT read-only)
[โœ“] Stack-protection detected (stack-protector)

Risk level: Low
Recommendation: Upgrade to nginx 1.30.1 / 1.31.0 in the next maintenance window.
``

**Scenario 3: Vulnerable Configuration, ASLR Disable**

```
[!] Vulnerability trigger configuration found:
โ†’ location ~ ^/api/(. *)$ {
[โœ—] ASLR closed! RCE risk significantly increased!

Risk level: High (DoS certain / RCE possible)

Immediate actions:
1. Temporarily remove or modify the rewrite+set configuration that triggered the vulnerability. 2.
2. Confirm ASLR is on: echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
3. Upgrade nginx: apt install nginx or compile and install 1.30.1+.
``

---

## Risk level description

| Level | Meaning | Suggested treatment rhythm |
|------|------|-------------|
| No effect | No nginx installed or version fixed | No action required
| Very Low | Version affected but no triggering configuration | Upgrade next routine maintenance |
| Low | Trigger configuration present but ASLR + compilation hardened | Upgrade next maintenance window | Medium | Trigger configuration present but ASLR + compilation hardened | Upgrade next maintenance window | No action required
| Medium | Trigger configuration present, protection gaps exist | Upgrade as soon as possible, availability at risk
| High | With triggering configuration + ASLR off + hardening missing | Handle immediately |

---

## Fixed version

| Products | Affected Versions | Fixed Versions |
|------|-----------|---------|
| NGINX Open Source Edition | 0.6.27 - 1.30.0 | **1.30.1 / 1.31.0** |
| NGINX Plus | R32 - R36 | **R36 P4 / R35 P2 / R32 P6** |

```bash
# Ubuntu / Debian
sudo apt update && sudo apt install nginx

# Verify the version
nginx -v
``

Official announcement: https://my.f5.com/manage/s/article/K000161019

---

## Test coverage

The scripts have been actually verified in the following scenarios:

- [x] nginx is not installed โ†’ exit directly
- [x] nginx version not affected (1.31.0) โ†’ unaffected
- [x] version affected, no trigger configuration โ†’ very low risk
- [x] version affected, trigger configured, ASLR enabled, hardening complete โ†’ low risk
- [x] version affected, trigger configuration, ASLR turned off โ†’ medium/high risk

Test environment: Ubuntu 22.04 LTS, nginx 1.24.0 (Ubuntu official package)

---

## Limitations

- Configuration detection is based on regular matching, complex multi-layered `include` structures may be missed (scripts expand all includes with `nginx -T` to cover most cases)
- Does not detect OpenResty / Tengine etc. nginx derivatives.
- Linux only

--- --- --- --- --- --- --- --- --- --- --- ---

## License

MIT