A proof-of-concept exploit for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module present since 2008. The bug stems from a mismatch between the length-calculation and copy passes in NGINX's script engine: the is_args flag causes ngx_escape_uri to expand bytes during the copy pass, overflowing an undersized heap buffer with attacker-controlled URI data. Exploitation leverages cross-request heap feng shui to corrupt an adjacent ngx_pool_t cleanup pointer, ultimately invoking system() on pool destruction for unauthenticated RCE. Affects NGINX Open Source 0.6.27–1.30.0 and NGINX Plus R32–R36, with fixes available. The vulnerability was autonomously discovered by an AI-powered security analysis system.
Sort: