Critical NGINX Heap Overflow PoC Published – CVE-2026-42945

Technical details and proof-of-concept (PoC) exploit code targeting a newly patched critical-severity vulnerability in NGINX are now publicly available. Tracked as CVE-2026-42945 with a CVSS score of 9.2, the flaw was patched this week as part of F5's quarterly security release, having remained dormant in the widely used web server for 16 years. The vulnerability resides in the ngx_http_rewrite_module component as a heap buffer overflow that can be exploited to trigger a denial-of-service (DoS) condition, and potentially enable remote code execution (RCE) if ASLR protections are disabled. Organizations running NGINX servers with rewrite and set directives should prioritize patching immediately, as researchers warn active exploitation could follow the public release of weaponized code.

Security researchers at Depthfirst have published a detailed technical analysis explaining the root cause of the flaw. The vulnerability stems from NGINX's two-pass rewrite script engine: one pass computes the required buffer size while a second pass copies data. Because the internal engine state changes between passes, a rewrite replacement containing a question mark ("?") causes an unpropagated flag that results in an undersized buffer allocation. This allows attacker-controlled escaped URI data to overflow the heap boundary. The researchers note that by padding request URIs with plus signs, the escaping function expands each byte into three bytes, enabling controlled overflow of the allocated memory chunk.

Achieving reliable remote code execution requires sophisticated memory manipulation techniques. Since null bytes cannot be used for the overflow, attackers must overwrite all fields in the NGINX memory pool until reaching the target pointer, then destroy the pool immediately upon header corruption to avoid crashing the worker process. The exploitation chain utilizes cross-request heap feng shui to corrupt an adjacent ngx_pool_t cleanup pointer—sprayed via POST bodies—to redirect execution to a fake ngx_pool_cleanup_s structure that invokes system() during pool destruction. F5 has released patches for NGINX Plus versions 37.0.0, R36 P4, and R32 P6, as well as NGINX open source versions 1.31.0 and 1.30.1. System administrators can verify their server configurations using our SSL/TLS checker and port scanner tools to ensure proper security posture while planning updates. Administrators should also run a privacy checkup to assess exposure from potential exploitation attempts.