Technical particulars and proof-of-concept (PoC) exploit code focusing on a newly patched critical-severity vulnerability in NGINX are actually obtainable.
Tracked as CVE-2026-42945 (CVSS rating of 9.2), the difficulty was patched within the extensively used net server this week as a part of F5’s newest quarterly patch launch, 16 years after it was launched.
The bug is described as a heap buffer overflow within the ngx_http_rewrite_module part that may very well be exploited to set off a restart, making a denial-of-service (DoS) situation.
Distant code execution (RCE) can be potential if Tackle House Format Randomization (ASLR) is disabled, F5 warned.
In keeping with Depthfirst, CVE-2026-42945 impacts NGINX servers utilizing rewrite and set directives and is rooted in using a two-pass course of within the script engine: one to compute the required buffer dimension, and the opposite to repeat information.
As a result of the interior engine state modifications between the 2 passes, if a rewrite alternative that comprises a query mark (“?”) is used, an unpropagated flag causes an undersized buffer allocation, resulting in attacker-controlled escaped URI information to be written previous the heap boundary.
“By padding the request URI with plus indicators, we are able to pressure the escaping operate to increase every byte into three bytes, overflowing the allotted chunk. The dimensions of the overflow is totally underneath our management primarily based on the variety of escapable characters we offer,” Depthfirst notes.
As a result of null bytes can’t be used for the overflow, reaching RCE requires overwriting all fields within the NGINX reminiscence pool till the goal pointer, then destroying the pool as quickly because the pool header corruption happens, with out crashing the employee course of, the cybersecurity agency says.
“Exploitation makes use of cross-request heap feng shui to deprave an adjoining ngx_pool_t’s cleanup pointer (sprayed through POST our bodies, since URI bytes can’t comprise null bytes), redirecting it to a faux ngx_pool_cleanup_s invoking system() on pool destruction,” Depthfirst explains.
F5 patched the vulnerability in NGINX Plus variations 37.0.0, R36 P4, and R32 P6, and in NGINX open supply variations 1.31.0 and 1.30.1.
Associated: Chrome 148 Replace Patches Vital Vulnerabilities
Associated: Cisco Patches One other SD-WAN Zero-Day, the Sixth Exploited in 2026
Associated: Excessive-Severity Vulnerability Patched in VMware Fusion
Associated: Fortinet, Ivanti Patch Vital Vulnerabilities
