Advisories 14 May 2026 / 0 Comments

NGINX Rift – 18-Year-Old Heap Buffer Overflow in Rewrite Module Enables Unauthenticated RCE (CVE-2026-42945)

Scope: NGINX Open Source 0.6.27 – 1.30.0 / NGINX Plus R32 – R36

Severity: Red

An 18-year-old critical heap buffer overflow (CVSS 9.2) in NGINX's ngx_http_rewrite_module, discovered by an autonomous AI security analysis system and now carrying a public proof-of-concept RCE exploit, allows unauthenticated remote attackers to crash NGINX worker processes or achieve remote code execution on systems with ASLR disabled by sending a single crafted HTTP request. The flaw arises from a size mismatch between NGINX's two-pass rewrite processing: the length pass underestimates the buffer size needed for URI-encoded characters when unnamed PCRE captures are combined with a question mark in a replacement string, and the copy pass writes past the allocation. Given that NGINX powers approximately one-third of all web servers globally, the impact surface is enormous. Organizations should upgrade to NGINX Open Source 1.31.0 or 1.30.1, or NGINX Plus R32 P6 / R36 P4 immediately; as an interim measure, replace all unnamed PCRE captures ($1, $2) with named captures in affected rewrite rules.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

NGINX Rift – 18-Year-Old Heap Buffer Overflow in Rewrite Module Enables Unauthenticated RCE (CVE-2026-42945)

Exim "Dead.Letter" – Unauthenticated RCE via BDAT Use-After-Free in GnuTLS Builds (CVE-2026-45185)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

NGINX Rift – 18-Year-Old Heap Buffer Overflow in Rewrite Module Enables Unauthenticated RCE (CVE-2026-42945)

RELATED ADVISORIES

Exim "Dead.Letter" – Unauthenticated RCE via BDAT Use-After-Free in GnuTLS Builds (CVE-2026-45185)

Recent Advisories

Categories