Rewrite-Module
NGINX Rift: 18-Year-Old Rewrite Module Heap Overflow Hits Unauthenticated RCE With Public PoC
CVE-2026-42945 is a CVSS 9.2 heap buffer overflow in ngx_http_rewrite_module that has lived in NGINX since 2008. A working unauthenticated RCE PoC is public; reachability hinges on a specific rewrite-directive pattern most prod configs actually contain.