Inside the Vulnerability
A critical security flaw has been uncovered in Nginx, the widely used web server software, allowing unauthenticated remote code execution in certain configurations. The vulnerability resides in the ngx_http_rewrite_module, a core component that processes URL rewriting and variable assignments. The bug was introduced in 2008, version 0.6.27, and went unnoticed for 18 years across all subsequent releases up to version 1.30.0.
The problem arises when both the `rewrite` and `set` directives are used together, a common pattern in API gateway deployments. Nginx processes these directives in two passes: the first calculates the required memory, and the second writes data into the allocated buffer. A state mismatch between these passes causes a heap buffer overflow. Specifically, when a `rewrite` directive contains a question mark, it permanently sets an internal flag in the main script engine. During the first pass, a separate sub engine is used where this flag is cleared, leading to an underestimation of the buffer size needed for URI escaping. The second pass then writes far more data than allocated, resulting in the overflow.
Impact and Exploitation
Security researchers at depthfirst discovered the flaw during a code audit in April 2026. They also identified three additional memory corruption bugs in the same audit. The team developed a working proof of concept exploit for systems with Address Space Layout Randomization (ASLR) disabled. The exploit chains together heap manipulation, fake cleanup structure spraying via HTTP POST bodies, and leverages Nginx’s deterministic multi process architecture to achieve reliable code execution. A public proof of concept has been released on GitHub.
This vulnerability has been assigned a high severity score (CVSS 9.2). Administrators are strongly urged to update their Nginx installations immediately to protect against potential attacks targeting this long standing defect.
Source: Cyber Security News
