- nginx
- rce
- cve
- rewrite
- depthfirst
news
NGINX Rift Heap Overflow RCE (CVE-2026-42945)
18-year-old rewrite-module desync enables pre-auth RCE; depthfirst PoC indexed on Sploitus with Docker lab and exploit modes.
Summary
CVE-2026-42945, dubbed NGINX Rift, is a critical heap buffer overflow in NGINX's ngx_http_rewrite_module — present since 2008 — enabling unauthenticated remote code execution when configurations combine rewrite ... ?... with set capture variables. A full PoC with Docker lab, detect/probe/exploit modes, and dual-fixture verification is indexed on Sploitus. The vulnerability was autonomously rediscovered alongside related memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) by depthfirst.
OFFSITE.DARK cites Sploitus as the index source only; this is not an original exploit release.
Technical Details
NGINX's script engine uses a two-pass model: first compute buffer length, then copy escaped data. When a rewrite replacement contains ?, the main engine sets is_args = 1, but the length pass runs on a zeroed sub-engine where is_args = 0.
| Pass | is_args | Behavior |
|---|---|---|
| Length | 0 | Allocates buffer for raw capture length |
| Copy | 1 | ngx_escape_uri(NGX_ESCAPE_ARGS) expands bytes up to 3× |
Undersized allocation → heap overflow with attacker-controlled URI data.
Exploitation chain (indexed PoC):
- Heap feng shui via POST
/spraybodies (NUL bytes allowed in body, not URI) - URI overflow corrupts adjacent
ngx_pool_t.cleanuphead - Pool destruction invokes planted fake
ngx_pool_cleanup_s→system(cmd)
| Product | Affected | Fixed |
|---|---|---|
| NGINX Open Source | 0.6.27 – 1.30.0 | 1.30.1, 1.31.0 |
| NGINX Plus | R32 – R36 | R36 P4, R35 P2, R32 P6 |
Config prerequisite: rewrite ... ? + set $X $N in nginx.conf. Default configs without this pattern are not reachable.
PoC modes: --check (surface detection), --probe (offset enumeration, crashes workers), --exploit (full RCE). Lab uses ASLR-off fixtures with hardcoded offsets — production exploitation requires per-target leak/offset work.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-42945 |
| CVSS | 9.2 (Critical) |
| CWE | CWE-122 — Heap-based Buffer Overflow |
| Sploitus date | 2026-05-22 |
| Research | depthfirst NGINX Rift write-up |
Impact
Pre-authentication remote code execution as the nginx worker user (www-data / nginx). From worker context: read TLS keys and upstream secrets, pivot to backends, install web shells if write permissions exist. Internet exposure depends on rewrite configurations — passive scans show many enterprise CDN and reverse-proxy deployments use custom rewrite rules.
Mitigation
- Upgrade to NGINX Open Source 1.30.1+ or 1.31.0+ (or current NGINX Plus patched builds).
- Audit
nginx.confforrewritedirectives containing?combined withsetcapture variables; refactor or remove until patched. - Run workers unprivileged with read-only web roots and no cloud credentials in worker environment.
- Temporary: remove vulnerable rewrite blocks and reload nginx; validate with PoC
--checkmode only in authorized lab environments.
Sources
- Sploitus — CVE-2026-42945 (depthfirst PoC) (index source)