The recent disclosure of CVE-2026-42945, an 18-year-old heap-buffer overflow in NGINX's ngx_http_rewrite_module, presents an immediate challenge for security teams. This critical flaw (CVSS 9.2) affects nearly every NGINX version released since 2008, including NGINX Plus, and is already seeing active exploitation. While official patches are available, understanding the vulnerability's mechanics and implementing interim controls is essential for defense in depth.

Understanding the Vulnerability

The flaw resides in how NGINX handles rewrite and set directives when used together, particularly when a rewrite pattern includes a question mark (?). This configuration is common in API gateways or reverse proxies. NGINX's internal script engine processes rewrites in two passes:

1. Buffer Length Calculation: The first pass calculates the required buffer length with a zeroed sub-engine, where the is_args flag is cleared.

2. Copy Pass: The second pass copies data with the main engine, where is_args is permanently set to 1.

This mismatch means the length calculation ignores URI escaping. When the copy pass expands escapable characters (e.g., '+', '&') from one byte to three, data is written beyond the allocated heap buffer, causing an overflow. On default deployments, this leads to a worker process crash, resulting in a denial-of-service (DoS). However, if Address Space Layout Randomization (ASLR) is disabled on the host, this heap overflow can be exploited for remote code execution (RCE).

Immediate Detection and Auditing

The first step is to identify all NGINX instances within your environment. Focus on configurations that combine both rewrite and set directives. This specific pattern is the trigger for CVE-2026-42945.

Configuration Review

Conduct a thorough audit of all NGINX configuration files (nginx.conf and any included files). Look for blocks containing both rewrite and set directives. Tools like grep or configuration management systems can automate this search across your fleet. Prioritize instances acting as API gateways or reverse proxies, as these are more likely to contain the problematic configurations.

Mitigation Strategies Before Patching

Applying patches should be the ultimate goal, but interim mitigations are crucial to reduce risk immediately.

Replace Unnamed Capture Groups

Where rewrite and set directives are used together, and the rewrite rule contains unnamed PCRE capture groups (e.g., $1, $2), replace them with named captures. This simple change eliminates a primary prerequisite for exploitation. For example, change rewrite ^/(.*)$ /index.php?param=$1; to rewrite ^/(?P<path>.*)$ /index.php?param=$path;.

WAF or Reverse Proxy Protection

If possible, place vulnerable NGINX instances behind an additional Web Application Firewall (WAF) or another reverse proxy. This provides an additional layer to inspect and block crafted requests before they reach the vulnerable NGINX instance. Configure the WAF to detect and block requests that attempt to exploit URI escaping inconsistencies, particularly those involving ? and special characters in rewrite rules.

Ensure ASLR is Enabled

The proof-of-concept exploit for RCE relies on ASLR being disabled. Verify that ASLR is enabled on all host operating systems running NGINX. While this is typically a default setting, misconfigurations or legacy systems might have it disabled. Keeping ASLR enabled significantly raises the bar for RCE exploitation, often reducing it to a DoS condition.

Monitor for Worker Crashes

Actively monitor NGINX logs for abnormal worker restarts or crash logs. On default deployments, exploitation of CVE-2026-42945 will likely manifest as a DoS due to worker process crashes. Alerting on these events can indicate an attempted or successful exploitation attempt.

Prioritizing and Applying Patches

The official fixes for this vulnerability are available in NGINX 1.31.0, 1.30.1, NGINX Plus R36 P4, and R32 P6. Prioritize applying these patches across your NGINX fleet as soon as possible. Develop a rollout plan that includes testing in staging environments before deploying to production.

Start by identifying all NGINX deployments using rewrite and set directives. For those, implement named capture groups immediately and confirm ASLR is active on the host OS. This buys time to methodically apply vendor patches.