Main Vulnerability Database Exploits ID:12732 - Exploit for Heap-based buffer overflow in NGINX Open Source and NGINX Plus - CVE-2026-42945

ID:12732 - Exploit for Heap-based buffer overflow in NGINX Open Source and NGINX Plus - CVE-2026-42945

Published: May 22, 2026

Vulnerability identifier: #VU131377

Vulnerability risk: Critical

CVE-ID: CVE-2026-42945

CWE-ID: CWE-122

Exploitation vector: Remote access

Vulnerable software:
NGINX Open Source
NGINX Plus

Link to public exploit:

https://github.com/dinosn/cve-2026-42945-nginx32-lab

Vulnerability description

The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.

The vulnerability exists due to heap-based buffer overflow in ngx_http_rewrite_module when processing crafted HTTP requests that reach configurations where a rewrite directive is followed by a rewrite, if, or set directive and unnamed PCRE captures are used with a replacement string containing a question mark. A remote attacker can send crafted HTTP requests to cause a denial of service or execute arbitrary code.

Code execution is possible on systems with address space layout randomization disabled. There is no control plane exposure; this is a data plane issue only.

Remediation

Install security update from vendor's website.

ID:12732 - Exploit for Heap-based buffer overflow in NGINX Open Source and NGINX Plus - CVE-2026-42945

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human