Scoopfeeds — Intelligent news, curated.
computer-science

New Nginx Exploit

Hacker News · May 14, 2026, 5:17 PM

Key takeaways

  • RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module introduced in 2008.
  • Try the same system at https://depthfirst.com/open-defense.
  • NGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in.

RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module introduced in 2008. The bug enables unauthenticated remote code execution against servers using rewrite and set directives.

This vulnerability — along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) — was autonomously discovered by depthfirst's security analysis system after a single click of onboarding the NGINX source.

Want to find issues like this in your own code? Try the same system at https://depthfirst.com/open-defense.

Article preview — originally published by Hacker News. Full story at the source.
Read full story on Hacker News → More top stories

More in computer-science

IEEE Spectrum
IEEE Society Helps Researchers Meet Their Next Corporate Backer
Hacker News
Deal reached with hackers to delete data stolen from the Canvas platform
Hacker News
Bun's Rust rewrite has been merged
Hacker News
Removing the Modem and GPS from My 2024 RAV4 Hybrid
Ars Technica
Vaporware or not? Aptera assembles its first five validation models.
Aggregated and edited by the Scoop newsroom. We surface news from Hacker News alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop