Technical details and proof-of-concept (PoC) exploit code targeting a newly patched critical-severity vulnerability in NGINX are now available.
Tracked as CVE-2026-42945 (CVSS score of 9.2), the issue was patched in the widely used web server this week as part of F5’s latest quarterly patch release, 16 years after it was introduced.
The bug is described as a heap buffer overflow in the ngx_http_rewrite_module component that could be exploited to trigger a restart, creating a denial-of-service (DoS) condition.
Remote code execution (RCE) is also possible if Address Space Layout Randomization (ASLR) is disabled, F5 warned.
According to Depthfirst, CVE-2026-42945 impacts NGINX servers using rewrite and set directives and is rooted in the use of a two-pass process in the script engine: one to compute the required buffer size, and the other to copy data.
Because the internal engine state changes between the two passes, if a rewrite replacement that contains a question mark (“?”) is used, an unpropagated flag causes an undersized buffer allocation, leading to attacker-controlled escaped URI data to be written past the heap boundary.
“By padding the request URI with plus signs, we can force the escaping function to expand each byte into three bytes, overflowing the allocated chunk. The size of the overflow is completely under our control based on the number of escapable characters we provide,” Depthfirst notes.
Because null bytes cannot be used for the overflow, achieving RCE requires overwriting all fields in the NGINX memory pool until the target pointer, then destroying the pool as soon as the pool header corruption occurs, without crashing the worker process, the cybersecurity firm says.
“Exploitation uses cross-request heap feng shui to corrupt an adjacent ngx_pool_t’s cleanup pointer (sprayed via POST bodies, since URI bytes can’t contain null bytes), redirecting it to a fake ngx_pool_cleanup_s invoking system() on pool destruction,” Depthfirst explains.
F5 patched the vulnerability in NGINX Plus versions 37.0.0, R36 P4, and R32 P6, and in NGINX open source versions 1.31.0 and 1.30.1.
UPDATE, May 18: Exploitation of the vulnerability has already started.
Related: Chrome 148 Update Patches Critical Vulnerabilities
Related: Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026
Related: High-Severity Vulnerability Patched in VMware Fusion
