Depthfirst's autonomous code analysis system discovered 4 memory corruption vulnerabilities in NGINX, including a critical heap buffer overflow (CVE-2026-42945, CVSS 9.2) that has existed since 2008 and affects NGINX versions 0.6.27 through 1.30.0. The flaw resides in the script engine's two-pass evaluation of rewrite and set directives: a question mark in a rewrite replacement permanently sets the is_args flag, but the length-calculation sub-engine is zeroed out, causing it to undercount the buffer size. The copy pass then escapes URI characters (expanding 1 byte to 3), overflowing the heap. A working RCE proof of concept was developed using heap feng shui to corrupt an adjacent pool's cleanup pointer, spraying fake ngx_pool_cleanup_s structures via POST bodies to redirect execution to libc system. The exploit works reliably due to NGINX's deterministic multi-process memory layout. Patches were released by F5 on May 13, 2026.
Sort: