A new proof-of-concept exploit for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module, is now public. This 2008-era bug enables unauthenticated remote code execution on servers using rewrite and set directives, representing a severe threat to internet-facing infrastructure.

NGINX's two-pass script engine mismanages the is_args flag between passes. The length-calculation phase sees is_args as unset, but the copy phase sees it set, causing an undersized buffer. Attackers overflow this buffer with controlled URI data, then use heap feng shui to corrupt a pool cleanup pointer and execute arbitrary code.

Affected versions include NGINX Open Source 0.6.27–1.30.0 and NGINX Plus R32–R36. Patches are available in 1.31.0, 1.30.1, and corresponding Plus updates. Given the flaw's long history and public exploit, immediate upgrades are critical for vulnerable deployments.

The autonomous discovery by depthfirst's system highlights how legacy code can hide critical flaws for decades. With proof-of-concept code now available, scanning for vulnerable configurations becomes urgent. Security teams must prioritize patching this RCE vector before widespread exploitation occurs.