Nginx Rift: Silent RCE -CVE-2026-42945
Overview
CVE-2026-42945, dubbed Nginx Rift, is a critical heap buffer overflow residing in NGINX's ngx_http_rewrite_module — a component present in virtually every NGINX deployment since version 0.6.27 (2008). The vulnerability enables unauthenticated remote code execution and affects NGINX Open Source up to 1.30.0 and NGINX Plus up to R36.
Root Cause
NGINX's rewrite script engine uses a two-pass architecture:
- Pass 1 (length calculation): Runs on a freshly initialized sub-engine where
is_args = 0. Returns raw capture length for buffer allocation. - Pass 2 (data copy): Executes on the main engine where
is_args = 1— set when arewritereplacement contains?. Callsngx_escape_uri()withNGX_ESCAPE_ARGS, expanding each escapable byte to 3 bytes.
The buffer allocated in Pass 1 is undersized relative to what Pass 2 actually writes. The result is a heap buffer overflow with attacker-controlled URI data.
Affected Versions
| Product | Affected | Fixed |
|---|---|---|
| NGINX Open Source | 0.6.27 – 1.30.0 | 1.30.1, 1.31.0 |
| NGINX Plus | R32 – R36 | R36 P4, R35 P2, R32 P6 |
Exploitation
Successful exploitation involves:
- Heap feng shui via cross-request spraying — POST bodies are used to position
ngx_pool_tstructures adjacent to the overflow target (URI bytes cannot contain null bytes, so POST body spray is required). - Cleanup pointer corruption on the adjacent pool — overwriting
ngx_pool_cleanup_s->handlerto point tosystem(). - Pool destruction trigger — on request teardown, NGINX walks the cleanup chain and executes the attacker-supplied command.
Remediation
Immediate: Upgrade to NGINX Open Source 1.30.1 / 1.31.0 or NGINX Plus R36 P4 / R35 P2 / R32 P6.
Interim mitigations if upgrade is not immediately possible:
- Audit all
rewritedirectives containing?in replacement strings. - Deploy a WAF rule blocking URI patterns with high concentrations of
%-encoded sequences targeting rewrite endpoints. - Monitor for anomalous worker process crashes (
segfaultin/var/log/nginx/error.log).
Vendor advisory: https://my.f5.com/manage/s/article/K000160932
References
- NVD: CVE-2026-42945
- DepthFirst Technical Write-up: https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
- GitHub PoC: https://github.com/depthfirstdisclosures/nginx-rift
التعليقات (0)
كن أول من يترك تعليقاً.
اترك تعليقاً