This emergency release introduces two new rules to detect nginx heap buffer overflow and heap spray exploitation attempts targeting the rewrite module’s is_args stale-state bug (CVE-2026-42945).
Key Findings
CVE-2026-42945: nginx Heap Buffer Overflow via Stale is_args in Rewrite Module
Successful exploitation allows remote attackers to trigger a heap buffer overflow in nginx’s rewrite module by sending crafted URIs containing escapable characters. A length/copy pass mismatch in ngx_http_script_copy_capture_code() causes the copy pass to write escaped data into an undersized buffer, leading to heap corruption. This enables denial of service (worker process crash) and, with heap feng shui techniques, potential remote code execution.
We strongly recommend upgrading to nginx 1.30.1 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, avoid rewrite directives with ? in the replacement string followed by set or if referencing capture groups.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | 2013e3e58efe4b79a26e214f7e52be73 | N/A | nginx – Remote Code Execution – Buffer Overread – CVE:CVE-2026-42945 | N/A | Block | This is a new detection. |
| Cloudflare Managed Ruleset | 68226e83a4d14ee9a9c878469df0ee6c | N/A | nginx – Remote Code Execution – Heap Spray – CVE:CVE-2026-42945 | N/A | Block | This is a new detection. |
Source: Cloudflare
Latest Posts
- Amazon SageMaker Data Agent integrates business context into conversations
- Amazon EKS Capabilities now supports Amazon CloudWatch Vended Logs
- Copilot settings in classic Outlook for Windows [MC1358831]
- Cloudflare Fundamentals, Workers, D1, R2, KV, Queues, Vectorize, Durable Objects, Containers – Billable usage and budget alerts now in product sidebars
![Copilot in SharePoint will start rolling out to all tenants as an opt-out preview starting in mid-June 2026 [MC1311968]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-justin-hamilton-16109-92248-96x96.webp "Copilot in SharePoint will start rolling out to all tenants as an opt-out preview starting in mid-June 2026 [MC1311968] 7")