NGINX Rift Rewrite Module Remote Code Execution

NGINX Rift Rewrite Module Remote Code Execution (CVE-2026-42945)

Overview

The SonicWall Capture Labs threat research team became aware of a heap buffer overflow vulnerability in NGINX products, assessed its impact and developed mitigation measures. NGINX is the top web server and reverse proxy globally. It runs approximately one-third of all websites. Organizations deploy it at the perimeter for CDN nodes and load balancers. It also secures Kubernetes ingress controllers and API gateways.

The issue, tracked as CVE-2026-42945, affects NGINX Open Source 0.6.27 through 1.30.0 and NGINX Plus R32 through R36. This flaw, categorized under CWE-122 Heap-based Buffer Overflow, allows an unauthenticated remote attacker to crash a worker process or, under favorable memory conditions, achieve remote code execution. It carries a CVSS score of 9.2. Users are strongly encouraged to apply the vendor-provided updates without delay.

Technical Overview

Figure 1 illustrates the overall NGINX operational architecture, which in both editions is built around a master-worker, event-driven, asynchronous processing model. The major distinction is that NGINX Open Source focuses on the data plane (traffic processing), while NGINX Plus adds an enterprise-grade control plane with runtime APIs, active health checks, observability, and advanced load-balancing capabilities, making it suitable for large-scale production and mission-critical environments.

The area of interest is the worker process and the rewrite phase — the vulnerable deployment model for CVE-2026-42945. The rewrite phase inside each NGINX worker is where the risk lies. A malicious request can hit a vulnerable location block, pass through rewrite/set handling, corrupt worker memory, and then either crash the worker or potentially pivot to code execution. NGINX’s master process may respawn crashed workers, so repeated exploitation can look like unstable workers, spikes in 5xx/connection resets, or a persistent denial-of-service (DoS) condition. Figure 2 illustrates the flow of the heap-based buffer overflow.

Root Cause

The exploitation entry vector is a malformed HTTP request handled by the location or rewrite phase of the worker process, as shown in Figure 2. The vulnerability is configuration-dependent. To identify actual vulnerable endpoints, an attacker must inspect the NGINX configuration and find location blocks containing the affected rewrite pattern rather than scanning for a specific URL path.

As shown in Figure 3, vulnerability exists when all the following are true:

• A request reaches a location block.
• That location contains a rewrite directive whose replacement string includes a ?
• The same location is followed by another rewrite, if, or set directive.
• Unnamed PCRE capture groups are used ($1, $2, etc.).
• An attacker sends a crafted URI that triggers the rewrite logic.
• NOTE: ASLR should be disabled on the host.
• Under these conditions, NGINX underestimates the amount of memory needed during the allocation pass, and the subsequent write pass overwrites the allocated buffer boundaries on the heap.

Triggering the Vulnerability

As shown in Figure 4, the exploitation process typically follows these steps:

• The core logic that triggers the actual vulnerability occurs inside the attempt() function.
• The script targets the vulnerable NGINX URI parsing engine by sending a specifically formatted GET request.
• The size calculation mismatch occurs in vulnerable NGINX instances.
• The payload contains a dense sequence of + characters. When NGINX processes this string using its internal URI-escaping function (ngx_escape_uri), each + character expands into three bytes during the second pass of the rewrite engine. However, the first pass only allocates enough heap memory for a single byte per character.
• Because of this expansion calculation bug, the string writes past its allocated memory chunk on the heap. This enables the script to overwrite adjacent heap structures with target_bytes.
• When NGINX attempts to execute its next routine operation on that connection, it references the hijacked pointer, mistakenly processing the fake structure. It calls system() (at SYSTEM_ADDR) and passes the command string (at data_addr) as an argument.

Exploitation

Successful exploitation enables a remote, unauthenticated attacker to execute arbitrary code on the host operating system with the privileges of the NGINX worker process. Alternatively, the attacker can cause a complete DoS by corrupting heap structures and forcing the active worker processes into an immediate loop crash. Figure 5 demonstrates a real-world proof of concept, showing successful exploitation to achieve remote code execution via heap buffer overflow, using a publicly available exploit. A successful compromise drops the attacker directly into an active command shell operating with the local system privileges of the NGINX worker account. Given NGINX functions as the primary edge proxy for a massive portion of global web traffic, its potential blast radius is severe.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS:2173 Web Application Malformed Request URI 17
• IPS:4569 Web Application Attack 28
• IPS:6250 Web Application Attack 32
• IPS:4524 Web Application Attack 61

Remediation Recommendations

With NGINX's growing user base and increasing deployment footprint, organizations and individual users should upgrade to the latest patched version as outlined in the official vendor advisory.

Relevant Links

• Vendor Advisory
• Orca Security Analysis
• PoC