CVE-2026-42945 is a heap buffer overflow in ngx_http_rewrite_module enabling unauthenticated RCE on NGINX 0.6.27 through 1.30.0, fixed in 1.31.0 and 1.30.1.
Key Takeaways
The bug stems from a two-pass script engine mismatch: length pass sees is_args=0, copy pass sees is_args=1, causing ngx_escape_uri to expand bytes 3x and overflow the heap buffer.
Exploitation uses cross-request heap feng shui to corrupt an adjacent ngx_pool_t cleanup pointer, redirecting it to a fake ngx_pool_cleanup_s that calls system() on pool destruction.
Requires a rewrite directive with ? in the replacement string and a set directive referencing a regex capture group – not universal configs.
Mitigation before patching: replace unnamed captures ($1, $2) with named captures in rewrite definitions per the F5 advisory.
Three additional memory corruption CVEs (42946, 40701, 42934) were found in the same NGINX source by the same automated analysis system.
Hacker News Comment Review
The published PoC disables ASLR, but commenters noted NGINX workers are forked from master with identical memory layout, enabling unlimited crash attempts and a plausible read oracle, making ASLR a weaker barrier than it appears.
Consensus is that the rewrite-plus-set config combination is genuinely uncommon in practice, reducing real-world exposure, though no remote RCE should be dismissed outright.
Commenters raised the memory-safe web server question (Caddy in Go, Jetty in Java) but concluded any server at nginx scale will accumulate CVEs regardless of language.
Notable Comments
@linkregister: Worker fork inheritance means same memory layout across restarts – unlimited crashes give at minimum reliable denial of service, likely a read oracle path.
@neomantra: Named captures as drop-in mitigation is actionable before the patch lands; F5 advisory K000161019 has the exact config substitution.
