NGINX Rewrite Module RCE via Heap Buffer Overflow (CVE-2026-42945)
Overview
NGINX Rewrite Module RCE via Heap Buffer Overflow, tracked as CVE-2026-42945, affects NGINX Open Source and NGINX Plus under specific rewrite configuration conditions. The vulnerability sits in ngx_http_rewrite_module, a common component used to transform request URLs and route traffic.
Vulnerability Overview
CVE-2026-42945 is a heap-based buffer overflow in the NGINX rewrite module. The vulnerable condition involves rewrite logic where a rewrite directive is followed by another rewrite, if, or set directive, an unnamed PCRE capture such as $1 or $2 is used, and the replacement string includes a question mark.
When those configuration conditions are present, crafted HTTP requests can trigger unsafe memory handling in an NGINX worker process. The vulnerability is configuration-dependent, so not every NGINX deployment is exposed.
Impact
The vulnerability is rated Critical with a CVSS 4.0 score of 9.2. Successful exploitation can crash or restart an NGINX worker process, causing denial of service for affected traffic paths.
Remote code execution may also be possible on systems where ASLR is disabled or where an attacker can bypass ASLR, which makes internet-facing reverse proxy and web gateway deployments especially sensitive.
Vulnerability Scope
The CVE applies to NGINX Open Source and NGINX Plus when the vulnerable rewrite module pattern is present. Software versions that have reached end of technical support may not be fully evaluated in the vendor advisory, so operational exposure should be assessed from both version and configuration.
Teams should review NGINX rewrite rules, validate package versions against vendor guidance, and prioritize systems that process untrusted HTTP requests at the edge.
Lab Focus
This Hackviser lab focuses on understanding how a web server configuration feature can become a memory-corruption vulnerability. You will practice identifying risky rewrite patterns, interpreting CVE conditions, and connecting edge-service exposure to patching and configuration review.