# NGINX Rift RCE Proof of concept for **CVE-2026-42945**, a critical heap buffer overflow in NGINX's `ngx_http_rewrite_module` introduced in 2008. The bug enables unauthenticated remote code execution against servers using `rewrite` and `set` directives. This vulnerability — along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) — was autonomously discovered by [depthfirst](https://depthfirst.com)'s security analysis system after a single click of onboarding the NGINX source. > Want to find issues like this in your own code? Try the same system at ****. ## The Bug (TL;DR) NGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in. The `is_args` flag is set on the main engine when a `rewrite` replacement contains `?`, but the length-calculation pass runs on a freshly zeroed sub-engine. So: - **Length pass** sees `is_args = 0` → returns raw capture length. - **Copy pass** sees `is_args = 1` → calls `ngx_escape_uri` with `NGX_ESCAPE_ARGS`, expanding each escapable byte to 3 bytes. The copy overflows the undersized heap buffer with attacker-controlled URI data. Exploitation uses cross-request heap feng shui to corrupt an adjacent `ngx_pool_t`'s `cleanup` pointer (sprayed via POST bodies, since URI bytes can't contain null bytes), redirecting it to a fake `ngx_pool_cleanup_s` invoking `system()` on pool destruction. Read more about this bug in our [technical write-up](https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability). ## Affected & Fixed Versions | Product | Affected | Fixed in | | --- | --- | --- | | NGINX Open Source | 0.6.27 – 1.30.0 | 1.31.0, 1.30.1 | | NGINX Plus | R32 – R36 | R36 P4, R35 P2, R32 P6 | Full vendor advisory: ## Usage Tested on Ubuntu 24.04.3 LTS. 1. `./setup.sh` — build the container. 2. `docker compose -f env/docker-compose.yml up` — start the vulnerable NGINX server. 3. `python3 poc.py --shell` — pop a shell.