Scoopfeeds — Intelligent news, curated.
computer-science

New Nginx Exploit

Hacker News · May 14, 2026, 5:17 PM

Key takeaways

  • RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module introduced in 2008.
  • Try the same system at https://depthfirst.com/open-defense.
  • NGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in.

RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module introduced in 2008. The bug enables unauthenticated remote code execution against servers using rewrite and set directives.

This vulnerability — along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) — was autonomously discovered by depthfirst's security analysis system after a single click of onboarding the NGINX source.

Want to find issues like this in your own code? Try the same system at https://depthfirst.com/open-defense.

Article preview — originally published by Hacker News. Full story at the source.
Read full story on Hacker News → More top stories

More in computer-science

TechCrunch
YouTube viewers watch 2 billion hours of Shorts on TVs each month
Ars Technica
AMD promises to bring improved, hardware-backed FSR 4 upscaling to older Radeon GPUs
Ars Technica
Judge probes whether Musk settlement with Trump admin is tainted by corruption
Hacker News
The Power of a Free Popsicle (2018)
Ars Technica
Zero-day exploit completely defeats default Windows 11 BitLocker protections
Aggregated and edited by the Scoop newsroom. We surface news from Hacker News alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop