Editorial

An Autonomous AI Found an 18-Year-Old nginx Bug in Six Hours

RobertUpdated May 15, 20264 min read
Dark terminal-style feature image. White text reads: Eighteen years old. Found in six hours. Below it: nginx CVE-2026-42945 in teal monospace. Attestd branding bottom left.

An Autonomous AI Found an 18-Year-Old nginx Bug in Six Hours#

CVE-2026-42945 is a heap buffer overflow in nginx's ngx_http_rewrite_module. CVSS 9.2. The vulnerability has been in the codebase since version 0.6.27, which was released roughly 18 years ago. It was discovered on April 18 2026 by DepthFirst AI's autonomous scanning system during a six-hour code analysis session.

Three additional memory corruption vulnerabilities were found in the same session.

nginx powers approximately a third of the top-ranked websites globally. It is used by cloud providers, SaaS platforms, banks, media companies, and as the ingress controller in Kubernetes clusters.

The fix is available. Patch now.

What the vulnerability is#

The flaw lives in how nginx's internal script engine handles rewrite and set directives together. The engine processes rewrites in two passes: one to calculate how much memory to allocate, and one to copy the actual data.

An is_args flag remains set after a rewrite containing ?, causing nginx to calculate buffer size using unescaped URI lengths but later write larger escaped data (+ and &). The calculation and the write disagree on size, producing a heap buffer overflow.

This pattern -- rewrite combined with set -- is described by the researchers as common in API gateways and reverse proxy configurations.

Affected versions: NGINX Open Source 0.6.27 through 1.30.0, NGINX Plus R32 through R36, and several NGINX App Protect and Gateway Fabric versions.

Fixed in: NGINX Open Source 1.31.0 and 1.30.1, NGINX Plus R36 P4 and R32 P6.

What it can do#

Denial of service: Confirmed. Crashing nginx worker processes via a crafted request is described by AlmaLinux, who independently reproduced the flaw, as trivial and reliable. This alone is enough to treat the issue as urgent.

Remote code execution: Real but disputed for hardened systems. DepthFirst demonstrated unauthenticated code execution on a system with ASLR disabled. nginx's multi-process architecture makes exploitation easier when ASLR is off because worker processes inherit nearly identical memory layouts from the master process, allowing repeated attempts if a worker crashes.

On systems with ASLR enabled -- which is the default on Linux -- turning the heap overflow into dependable remote code execution is, in AlmaLinux's assessment, "not trivial." Kevin Beaumont noted that the published PoC was built against a deliberately vulnerable setup and does not demonstrate reliable code execution against hardened real-world systems.

The honest position: patch for the confirmed DoS. Treat RCE as a serious concern without assuming it is trivially weaponisable in production environments with standard hardening.

The AI discovery angle#

DepthFirst AI's autonomous scanning system found this vulnerability in a six-hour session. Not a six-month engagement. Six hours.

This is the same dynamic that makes supply chain attacks harder to detect: the offense is operating at machine speed. An 18-year-old bug survived decades of human review and was found by an autonomous system in an afternoon. The timeline from "bug found" to "PoC published" is now measured in days, not months.

The CVE-to-exploit window has been collapsing for years. AI-assisted vulnerability research accelerates that further. The implication for infrastructure is straightforward: the time available between disclosure and exploitation is not long enough for a manual review cycle. Deterministic signals checked at deploy time are the correct architectural response.

What Attestd returns#

nginx is one of Attestd's original covered products.

bash
# Affected version
curl "https://api.attestd.io/v1/check?product=nginx&version=1.25.3" \
  -H "Authorization: Bearer YOUR_API_KEY"
 
# Fixed version
curl "https://api.attestd.io/v1/check?product=nginx&version=1.31.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

CVE-2026-42945 and the three accompanying CVEs are tracked in the Attestd data for affected nginx versions. As NVD enrichment and CISA KEV data develops for this CVE group, the risk state will update automatically.

Mitigation#

Upgrade to NGINX Open Source 1.31.0 or 1.30.1. For NGINX Plus, upgrade to R36 P4 or R32 P6.

For those unable to upgrade immediately, F5 recommends replacing unnamed PCRE capture groups ($1, $2, etc.) in vulnerable rewrite rules with named captures. This eliminates the main exploitation prerequisite without requiring an upgrade.

The other three CVEs from the same session:

CVE-2026-42946 is excessive memory allocation in SCGI/UWSGI modules that can crash workers via approximately 1 TB allocation requests. CVE-2026-40701 is a use-after-free in asynchronous OCSP DNS resolution handling. CVE-2026-42934 is an off-by-one UTF-8 parsing bug causing out-of-bounds reads. All three received medium severity ratings.

Full product reference at attestd.io/docs/products.

Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.