CVE-2026-42945: NGINX heap buffer overflow in rewrite + set directive chain enables RCE — 18-year-old bug class

CVE-2026-42945 is a heap buffer overflow in NGINX's ngx_http_rewrite_module affecting versions 0.6.27 through 1.30.0. The vulnerability class is 18 years old — the ngx_http_rewrite_module code path that contains it has existed since NGINX 0.6.27. DepthFirst (who named the finding "NGINX Rift") reports a working remote code execution proof of concept when ASLR is disabled, and F5 confirmed the findings through coordinated disclosure on May 13, 2026. Fix: NGINX 1.30.1 or 1.31.0.

Three additional CVEs in the same cluster were confirmed by F5 simultaneously: CVE-2026-42946 (memory handling in SCGI and uWSGI modules), CVE-2026-40701 (use-after-free in TLS around async OCSP resolution), and CVE-2026-42934 (out-of-bounds read in ngx_http_charset_module).

Root cause: is_args flag not reset between rewrite and set processing

The overflow occurs when NGINX configuration chains:

1. A rewrite directive whose replacement string contains a question mark (triggering the is_args query-string handling path)
2. A set directive that references capture groups from the same regular-expression context (e.g., $1, $2)

The is_args flag set during rewrite processing is not reset before the set complex value evaluation runs. The length pass underestimates the escaped output size; the copy pass then performs URI escaping, overflowing the heap buffer allocated from the request pool. DepthFirst explains this as a two-pass mismatch: compute-then-copy where the computation is wrong.

The pattern that triggers this is common in API gateway configurations that preserve the original path in a variable before rewriting:

location /api/ {
    set $original_uri $request_uri;
    rewrite ^/api/(.*)$ /internal/$1? break;
    set $captured $1;
}

This is standard reverse-proxy practice. Many NGINX configurations used as API gateways match this pattern.

CVE cluster: four vulnerabilities in one advisory

All four are fixed in NGINX 1.30.1 (stable branch) and 1.31.0 (mainline branch). Commercial F5 bundles track the same fixes through their own maintenance releases.

Affected versions

• NGINX Open Source: 0.6.27 through 1.30.0 (CVE-2026-42945); specific version windows for the other CVEs are on the nginx.org security advisories page
• NGINX Plus: Track the F5 advisory for maintenance release mapping
• NGINX Ingress Controller, App Protect, Gateway Fabric, Instance Manager: Each carries its own version window in the F5 advisory
• Cloud-managed variants (AWS ALB, GCP Cloud Armor) that use patched NGINX versions upstream may not be affected — check vendor advisories

Detection: identify vulnerable directive patterns

Before patching is complete, identify configurations at risk. Search NGINX configuration files for rewrite directives whose replacement includes ? followed by set directives that reference $1, $2, or similar capture variables in the same location block. Grep pattern:

grep -rn 'rewrite.*?.*set.*\$[0-9]' /etc/nginx/

Hardening alone (removing the vulnerable directive pairing) is not a substitute for patching, but reduces exposure during rollout.

Remediation

1. Upgrade NGINX to 1.30.1, 1.31.0, or newer. Treat Internet-facing reverse proxies and Kubernetes ingress controllers as emergency change targets.
2. Rebuild container images and golden VM images to pick up the patched binaries, then restart affected fleets.
3. Apply F5 commercial maintenance releases for NGINX Plus, Ingress Controller, App Protect, Gateway Fabric, and Instance Manager.
4. Re-test configurations that rely on chained rewrite and set behavior after upgrade — query-string handling changes may affect routing.
5. Monitor for exploitation attempts — crafted requests designed to trigger the rewrite/set chain overflow will produce unusual request pool allocation patterns or crash logs before a stable exploit chain is weaponized.

Class context: 18-year-old code, newly weaponizable

The "18-year-old bug" framing from DepthFirst is accurate but should be read carefully. The code path has existed since 2007, but a working RCE requires ASLR disabled — which is not the typical production configuration. The realistic threat model for most deployments is information disclosure or targeted crash rather than immediate arbitrary code execution. That said, the existence of a working PoC from DepthFirst means active weaponization work is underway in the research community, and the gap to a reliable exploit under common production conditions may close. Patch SLA should be treated as urgent (days) for Internet-exposed NGINX, not a normal vulnerability cycle.