RCE Proof of concept for CVE-2026-42945 , a critical heap buffer overflow in NGINX's ngx_http_rewrite_module introduced in 2008. The bug enables unauthenticated remote code execution against servers using rewrite and set directives. This vulnerability β along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) β was autonomously discovered by depthfirst 's security analysis system after a single click of onboarding the NGINX source. Want to find issues like this in your own code? Try the same system at https://depthfirst.com/open-defense . The Bug (TL;DR) NGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in. The is_args flag is set on the main engine when a rewrite replacement contains ? , but the length-calculation pass runs on a freshly zeroed sub-engine. So: Length pass sees is_args = 0 β returns raw capture length.β¦