NGINX Rift: An 18-Year-Old Heap Buffer Overflow Just Got a CVE and a PoC
CVE-2026-42945 is a critical heap buffer overflow in NGINX rewrite module that has existed since 2008. CVSS 9.2, public PoC, zero authentication required.
The Vulnerability
On May 13, 2026, researchers from DepthFirst AI disclosed CVE-2026-42945, a heap buffer overflow in NGINX ngx_http_rewrite_module. The vulnerability affects NGINX versions 0.6.27 through 1.30.0. Roughly 18 years of releases. It carries a CVSS score of 9.2 (Critical).
The bug is remotely reachable over HTTP, requires no authentication, and can be triggered when specific rewrite-rule patterns are present in the NGINX configuration. Most exploitation scenarios result in worker process crashes (DoS), but multiple reports confirm potential Remote Code Execution (RCE) in environments where ASLR is disabled.
A public proof-of-concept exploit was published on GitHub by the DepthFirst research team.
Why It Matters
NGINX is the world's most deployed web server and reverse proxy. It sits in front of millions of production applications. The rewrite module is one of its most commonly used features. URL normalization, path routing, and redirect rules all use it. The attack surface is enormous.
The fact that this vulnerability persisted undetected for 18 years, only to be found by an AI-powered security research agent, is itself a signal about the state of legacy code auditing.
The CWE Mapping
CWE-122 (Heap-based Buffer Overflow): The core vulnerability. A crafted URL triggers an out-of-bounds write in the heap during rewrite processing.
CWE-787 (Out-of-bounds Write): The parent CWE. The overflow writes beyond allocated buffer boundaries, corrupting heap metadata.
CWE-676 (Use of Potentially Dangerous Function): The underlying C string manipulation in the rewrite module does not adequately bound-check input lengths against buffer allocations.
Immediate Actions
- Patch to NGINX 1.30.1+ (or the corresponding stable branch patch). All major distributions (Ubuntu, RHEL, AlmaLinux) released fixes on May 13-14.
- Audit rewrite rules. Configurations with complex regex capture groups in rewrite directives are the most exposed. Simple redirects are lower risk.
- Check WAF coverage. Several WAF vendors pushed virtual patches within 24 hours of disclosure.
How Deva Flags This
Deva CVE lookup post-processor cross-references installed NGINX versions against the NVD and CISA KEV catalogs. The SCA pipeline flags vulnerable NGINX versions in container images, Dockerfiles, and infrastructure-as-code templates. CWE-122 findings in C/C++ codebases are automatically surfaced under the OWASP and NIST 800-53 presets.
Deva Security Team
Threat research, application security analysis, and defensive engineering insights from the DevSecCode team.
Related Articles
Copy Fail: 732 Bytes to Root on Every Linux Distribution Since 2017
CVE-2026-31431 is a local privilege escalation in the Linux kernel cryptographic subsystem. A 732-byte Python script can edit a setuid binary in memory and obtain root. CISA added it to KEV on May 7.
Read moreExchange Server XSS-to-Spoofing: CVE-2026-42897 Added to CISA KEV
A cross-site scripting flaw in on-premises Microsoft Exchange Server enables email spoofing via crafted messages. CISA added it to KEV on May 15 with a May 29 federal deadline.
Read more