Critical NGINX Vulnerability CVE-2017-7520 Lets Attackers Remotely Execute Code
Key Takeaways A critical heap buffer overflow vulnerability (CVE-2026-42945) has been disclosed in NGINX, present for 18 years. The flaw enables unauthenticated remote code execution (RCE) and...
Key Takeaways
- A critical heap buffer overflow vulnerability (CVE-2026-42945) has been disclosed in NGINX, present for 18 years.
- The flaw enables unauthenticated remote code execution (RCE) and affects NGINX Open Source versions 0.6.27 through 1.30.0, along with various F5/NGINX products.
- The vulnerability, rated 9.2 CVSS, is triggered by specific configurations using both
rewriteandsetdirectives. - A proof-of-concept (PoC) exploit exists, demonstrating reliable RCE.
- F5 released patches on May 13, 2026, urging users to upgrade to NGINX 1.30.1 or 1.31.0 immediately.
A severe heap buffer overflow vulnerability, identified as CVE-2026-42945, has been publicly disclosed within NGINX’s codebase. This critical flaw, which has existed since 2008, carries a CVSS score of 9.2 and facilitates unauthenticated remote code execution (RCE) against one of the world’s most ubiquitous web servers. A fully functional proof-of-concept (PoC) exploit has also been made public.
The vulnerability resides within NGINX’s ngx_http_rewrite_module, a core component responsible for URL rewriting and variable assignment across virtually all modern NGINX deployments. The bug was initially introduced in version 0.6.27, released in 2008, and remained undetected across all versions up to 1.30.0 for an astonishing 18 years.
The 18-Year-Old NGINX RCE Vulnerability Explained
The flaw is triggered under specific configuration scenarios where both rewrite and set directives are used concurrently, a common pattern found in API gateway setups. NGINX’s internal script engine processes these directives using a two-pass system: the initial pass calculates the required memory length, and the subsequent pass writes data into the allocated buffer.
The fundamental issue stems from a state inconsistency between these two passes. When a rewrite directive includes a question mark (?), it permanently sets an is_args = 1 flag on the main script engine. However, during the first pass, which is responsible for length calculation, a zeroed-out sub-engine is utilized. This means the is_args flag is effectively zero during this phase, leading to the length being calculated without properly accounting for URI escaping.

In the second pass, where data is copied, the main engine operates with is_args = 1. This critical difference causes the ngx_escape_uri function to expand each escapable byte from one to three bytes. Consequently, significantly more data is written to the buffer than was initially allocated, resulting in a classic heap buffer overflow condition.
Security researchers successfully developed a working RCE exploit for systems where Address Space Layout Randomization (ASLR) is disabled. The security research firm depthfirst independently discovered the vulnerability during an April 2026 code audit. This audit also uncovered three additional memory corruption bugs within the NGINX codebase.
The exploit chain leverages heap manipulation, fake cleanup structure spraying via POST bodies, and NGINX’s deterministic multi-process architecture to achieve reliable and repeatable code execution. A public PoC is now available on GitHub.
In addition to the critical RCE flaw, three other CVEs related to memory corruption were confirmed:
- CVE-XXXX-XXXXX (details from source, if any)
- CVE-XXXX-XXXXX (details from source, if any)
- CVE-XXXX-XXXXX (details from source, if any)
The vulnerability impacts a broad spectrum of F5/NGINX products, including NGINX Open Source versions 0.6.27–1.30.0, NGINX Plus R32–R36, NGINX Instance Manager, NGINX App Protect WAF, NGINX Gateway Fabric, and NGINX Ingress Controller.
F5 issued its official security advisory on May 13, 2026, urging administrators to upgrade to NGINX 1.30.1 or 1.31.0 without delay.
What You Should Do
- Upgrade Immediately: All administrators should upgrade their NGINX installations to version 1.30.1 or 1.31.0 as soon as possible to mitigate this critical vulnerability.
- Audit Configurations: If immediate patching is not feasible, organizations should audit their NGINX configurations for the combined use of
rewriteandsetdirectives. - Implement WAF Protection: Consider placing exposed NGINX deployments behind an additional Web Application Firewall (WAF) layer to provide an extra barrier against exploitation until patching can be completed.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.