Full Report
Multiple vulnerabilities have been discovered in NGINX, the most severe of which could allow for remote code execution. NGINX is a software used for web serving, reverse proxying, caching, and load balancing. Successful exploitation of the most severe of these vulnerabilities may allow an unauthenticated threat actor to crash vulnerable NGINX worker processes by sending crafted HTTP requests. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, exploitation may result in remote code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: Multiple NGINX Vulnerabilities Including Heap Buffer Overflow and RCE
## CVE Details
- **CVE ID:** CVE-2026-42945 (Primary), CVE-2026-42946, CVE-2026-40701, CVE-2026-42934
- **CVSS Score:** 9.8 (Critical - Estimated based on RCE/Unauthenticated impact)
- **CWE:** CWE-122 (Heap-based Buffer Overflow), CWE-416 (Use After Free), CWE-125 (Out-of-bounds Read), CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:**
- NGINX Open Source: 0.6.27 through 1.30.0
- NGINX Plus: R32 through R36
- NGINX Instance Manager: 2.16.0 through 2.21.1
- F5 WAF for NGINX: 5.9.0 through 5.12.1
- NGINX App Protect WAF: 4.9.0–4.16.0; 5.1.0–5.8.0
- NGINX gateway products (Fabric, Ingress Controller) and DoS modules.
- **Configurations:** Systems with **Address Space Layout Randomization (ASLR) disabled** are at significantly higher risk for Remote Code Execution (RCE). Performance-optimized environments using specific rewrite or proxy modules are primary targets.
## Vulnerability Description
Multiple flaws exist across various NGINX modules:
- **CVE-2026-42945 (Heap Overflow):** Located in `ngx_http_rewrite_module`. An unpropagated flag during rewrite/set sequences leads to undersized buffer allocation. Attackers can write escaped URI data past the heap boundary.
- **CVE-2026-42946 (Memory Allocation):** In `ngx_http_scgi_module` and `ngx_http_uwsgi_module`. A state mismatch causes a massive key length (~1 TB) calculation, crashing the worker.
- **CVE-2026-40701 (Use After Free):** In `ngx_http_ssl_module`. Occurs when a TLS connection closes while asynchronous OCSP DNS resolution is pending, leaving a dangling pointer in the DNS timer.
- **CVE-2026-42934 (OOB Read):** In `ngx_http_charset_module`. Off-by-one error during UTF-8 sequence handling across buffer boundaries allows reading memory before the allocated buffer.
## Exploitation
- **Status:** **Exploited in the Wild** (CVE-2026-42945 reported by VulnCheck); **PoC available** (published by DepthFirst).
- **Complexity:** Medium (RCE requires specific memory conditions like disabled ASLR).
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Potential for full data access)
- **Integrity:** High (System modification/account creation)
- **Availability:** High (Worker process crashing/DoS)
## Remediation
### Patches
- Immediate updates are recommended for all NGINX deployments. Users should refer to F5’s official advisory for specific version-mapping updates (e.g., NGINX Open Source versions post-1.30.0).
### Workarounds
- **Enable ASLR:** Ensure Address Space Layout Randomization is enabled on the host OS to mitigate RCE risk.
- **Restrict Permissions:** Run NGINX worker processes with the least possible privileges to limit post-exploitation impact.
- **Module Disabling:** If specific modules like SCGI, uWSGI, or Charset are not in use, they should be disabled.
## Detection
- **Indicators of Compromise:** Monitor for frequent, unexpected NGINX worker process crashes (Segmentation Faults).
- **Detection Methods:**
- Review logs for crafted HTTP requests containing unusually long or complex URI rewrite patterns.
- Use automated vulnerability scanners (referencing CIS Safeguard 7.5).
## References
- hxxps://cve.mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2026-42945
- hxxps://depthfirst[.]com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
- hxxps://my.f5[.]com/manage/s/article/K000161019
- hxxps://docs.vulncheck[.]com/initial-access/2026-05-15#cve-2026-42945-nginx-ngx_http_rewrite_module-heap-based-buffer-overflow-queries-and-signatures-only