Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
Home/CyberSecurity News/Critical NGINX Vulnerability CVE-2017-7520 Lets Attackers Remotely Execute Code
CyberSecurity News

Critical NGINX Vulnerability CVE-2017-7520 Lets Attackers Remotely Execute Code

Key Takeaways A critical heap buffer overflow vulnerability (CVE-2026-42945) has been disclosed in NGINX, present for 18 years. The flaw enables unauthenticated remote code execution (RCE) and...

David kimber
David kimber
May 14, 2026 3 Min Read
42 0

Key Takeaways

  • A critical heap buffer overflow vulnerability (CVE-2026-42945) has been disclosed in NGINX, present for 18 years.
  • The flaw enables unauthenticated remote code execution (RCE) and affects NGINX Open Source versions 0.6.27 through 1.30.0, along with various F5/NGINX products.
  • The vulnerability, rated 9.2 CVSS, is triggered by specific configurations using both rewrite and set directives.
  • A proof-of-concept (PoC) exploit exists, demonstrating reliable RCE.
  • F5 released patches on May 13, 2026, urging users to upgrade to NGINX 1.30.1 or 1.31.0 immediately.

A severe heap buffer overflow vulnerability, identified as CVE-2026-42945, has been publicly disclosed within NGINX’s codebase. This critical flaw, which has existed since 2008, carries a CVSS score of 9.2 and facilitates unauthenticated remote code execution (RCE) against one of the world’s most ubiquitous web servers. A fully functional proof-of-concept (PoC) exploit has also been made public.

Table Of Content

  • Key Takeaways
  • The 18-Year-Old NGINX RCE Vulnerability Explained
  • What You Should Do

The vulnerability resides within NGINX’s ngx_http_rewrite_module, a core component responsible for URL rewriting and variable assignment across virtually all modern NGINX deployments. The bug was initially introduced in version 0.6.27, released in 2008, and remained undetected across all versions up to 1.30.0 for an astonishing 18 years.

The 18-Year-Old NGINX RCE Vulnerability Explained

The flaw is triggered under specific configuration scenarios where both rewrite and set directives are used concurrently, a common pattern found in API gateway setups. NGINX’s internal script engine processes these directives using a two-pass system: the initial pass calculates the required memory length, and the subsequent pass writes data into the allocated buffer.

The fundamental issue stems from a state inconsistency between these two passes. When a rewrite directive includes a question mark (?), it permanently sets an is_args = 1 flag on the main script engine. However, during the first pass, which is responsible for length calculation, a zeroed-out sub-engine is utilized. This means the is_args flag is effectively zero during this phase, leading to the length being calculated without properly accounting for URI escaping.

NGINX Hit by 4 Memory Flaws (source :depthfirst)
NGINX Hit by 4 Memory Flaws (source:depthfirst)

In the second pass, where data is copied, the main engine operates with is_args = 1. This critical difference causes the ngx_escape_uri function to expand each escapable byte from one to three bytes. Consequently, significantly more data is written to the buffer than was initially allocated, resulting in a classic heap buffer overflow condition.

Security researchers successfully developed a working RCE exploit for systems where Address Space Layout Randomization (ASLR) is disabled. The security research firm depthfirst independently discovered the vulnerability during an April 2026 code audit. This audit also uncovered three additional memory corruption bugs within the NGINX codebase.

The exploit chain leverages heap manipulation, fake cleanup structure spraying via POST bodies, and NGINX’s deterministic multi-process architecture to achieve reliable and repeatable code execution. A public PoC is now available on GitHub.

In addition to the critical RCE flaw, three other CVEs related to memory corruption were confirmed:

  • CVE-XXXX-XXXXX (details from source, if any)
  • CVE-XXXX-XXXXX (details from source, if any)
  • CVE-XXXX-XXXXX (details from source, if any)

The vulnerability impacts a broad spectrum of F5/NGINX products, including NGINX Open Source versions 0.6.27–1.30.0, NGINX Plus R32–R36, NGINX Instance Manager, NGINX App Protect WAF, NGINX Gateway Fabric, and NGINX Ingress Controller.

F5 issued its official security advisory on May 13, 2026, urging administrators to upgrade to NGINX 1.30.1 or 1.31.0 without delay.

What You Should Do

  • Upgrade Immediately: All administrators should upgrade their NGINX installations to version 1.30.1 or 1.31.0 as soon as possible to mitigate this critical vulnerability.
  • Audit Configurations: If immediate patching is not feasible, organizations should audit their NGINX configurations for the combined use of rewrite and set directives.
  • Implement WAF Protection: Consider placing exposed NGINX deployments behind an additional Web Application Firewall (WAF) layer to provide an extra barrier against exploitation until patching can be completed.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical MongoDB Flaw CVE-2024-22000 Lets Attackers Execute Code

Next Post

Critical Windows DNS Client Bug (CVE-2024-XXXX) Allows RCE Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Fake VLC Installer Delivers ValleyRAT Malware
July 2, 2026
Microsoft Outlook Bug Removes Copilot Button for Windows Users
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us