Secure Cyber Vulnerability Management

15/05/2026
Qualys-Threat-Protect

F5 Nginx Remote Code Execution Vulnerability (CVE-2026-42945)

by Deepanshu Jha

Threat researchers identified a critical severity vulnerability in NGINX Plus and NGINX Open, tracked as CVE-2026-42945. The vulnerability discovered by depthfirst is an 18-year-old memory corruption flaw in NGINX Plus and NGINX Open Source. Successful exploitation of the vulnerability may allow an unauthenticated attacker to cause a denial-of-service (DoS) on the NGINX system or to trigger code execution.

NGINX is an open-source, high-performance HTTP web server, reverse proxy, load balancer, content cache, and mail proxy server. It is designed to handle massive concurrency with low memory usage by using an asynchronous, event-driven architecture.

Vulnerability Details

Root cause of the vulnerability is a logic/state mismatch in the ngx_http_script engine, where an internal flag (is_args) is set during the length/calc phase but not reset. This leads to the first pass computing a shorter length while the second pass performs URI escaping and writes a longer escaped string, causing a heap buffer overflow. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests.

The vulnerability can lead to code execution in systems with Address Space Layout Randomization (ASLR) disabled.

Exploitation overview

The overflow is controllable via URI escaping, so the attacker can control the overflow size only with URIsafe bytes; arbitrary binary injection is harder.  

Security researcher at depthfirst demonstrates an exploit strategy in their blog, that corrupts an adjacent request’s ngx_pool header, times pool destruction to avoid crashes (cross-request “heap feng shui”), then uses POST body spraying to place fake ngx_pool_cleanup structures (which contain function pointers) and triggers those handlers to call system(), enabling code execution.

Affected Versions

  • NGINX Plus R32 – R36
  • NGINX Open Source 1.0.0 – 1.30.0

Mitigation

Users must upgrade to the following versions to patch the vulnerability:

  • NGINX Plus versions R32 P6 and R36 P4
  • NGINX Open Source versions 1.30.1 and 1.31.0

For more information, please refer to the NGINX Security Advisory (K000161019).

Qualys Detection

Qualys customers can scan their devices with QID 734246 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://my.f5.com/manage/s/article/K000161019
https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability

Comments are closed.

You may also like