CVE-2026-42945

Published May 13, 2026

Last updated 17 days ago

CVSS critical 9.2
NGINX
Ubuntu
NGINX Plus
NGINX Open Source

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-42945 is a heap buffer overflow vulnerability found in the `ngx_http_rewrite_module` of NGINX Plus and NGINX Open Source. This flaw occurs when a `rewrite` directive is immediately followed by another `rewrite`, `if`, or `set` directive, and an unnamed Perl-Compatible Regular Expression (PCRE) capture (such as `$1` or `$2`) is used within a replacement string that contains a question mark (`?`). An unauthenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests. This can lead to a heap buffer overflow in the NGINX worker process, causing it to restart. Additionally, on systems where Address Space Layout Randomization (ASLR) is disabled, this vulnerability could potentially allow for code execution.

Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Source
f5sirt@f5.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.2
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

f5sirt@f5.com
CWE-122

Social media

Hype score
Not currently trending

  1. 05:06 UTC: CVE-2026-42945 disclosed. ⚠️CVE-2026-42945: RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngxhttprewritem

    @lyrie_ai

    7 Jun 2026

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. 02:35 UTC: CVE-2026-42945 disclosed. 🚨Alert🚨 CVE-2026-42945: A Critical Heap Buffer Overflow in NGINX. 🧐Credit by depthfirst: 📊 86 0day Intel: 🚨Alert🚨 CVE-2026-42945: A Critical Heap Buffer Overflow in NGINX.

    @lyrie_ai

    7 Jun 2026

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. CVE-2026-42945. Source: X search for CVE-2026 critical Posted: 2026-05-19T20:34:16.000Z Likes: 24

    @lyrie_ai

    7 Jun 2026

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. 安全圈最近投喂的PoC仓库一堆跑不动的,但这个poc-lab有点意思。每个CVE目录配好了exploit脚本和复现指南,从Linux内核到Chrome、Redis、Notepad++,覆盖的都是今年高严重性漏洞。最近更新的CVE-2026-48778 Notepad++ RCE和CVE-20

    @vintcessun

    1 Jun 2026

    37 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  5. CVE-2026-42945 - NGINX vulnerability https://t.co/tT8DtrcDYC https://t.co/WwRxZKYfXU

    @SirajD_Official

    31 May 2026

    61 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2026-42945 - NGINX vulnerability https://t.co/LSrXs9SU2Q https://t.co/x0OUZWI8Tb

    @CloudVirtues

    31 May 2026

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2026-42945 - NGINX vulnerability https://t.co/XtiasWkTSq https://t.co/ZEA394flyz

    @Guru0791

    30 May 2026

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2026-42945 - NGINX vulnerability https://t.co/FeWBuYnSeE https://t.co/m58UYqC9rK

    @scandaletti

    29 May 2026

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. ⚠️ ثغرة حرجة في خادم ويب واسع الانتشار تتيح تنفيذ كود عن بُعد دون مصادقة، باستغلال نشط مرصود. المعرّف : CVE-2026-42945 الخطورة : 9.2 (CVSSv4) - Critical المتأثر : NGINX OSS ≤ 1.

    @KasperskyDev

    29 May 2026

    292 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. NGINX 1.31.0 のゼロデイ脆弱性 nginx-poolslip (CVE-N/A) を検出:ASLR バイパスによる RCE の可能性 https://t.co/cD85vEmFd3 この問題の原因は、 NGINX の内部にあるメモリプール管理メカニズムの不具合にあります。先日に修正

    @iototsecnews

    28 May 2026

    86 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. The NGINX Poolslip saga is a masterclass in why single patches fail. They fixed the buffer overflow in Rift (CVE-2026-42945) but left the underlying memory pool attack surface wide open. Now the same module has a second critical CVE. Patch the root cause, not just the symptom.

    @da7rkx0

    27 May 2026

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 🚨 BREAKING: 1/3 of the internet is under active attack. Two critical zero-days (CVE-2026-42945 & CVE-2026-9256) just hit NGINX. The craziest part? The first bug hid in the codebase for 18 YEARS before an AI audit found it. Here is why this is a nightmare 🧵👇 https:/

    @da7rkx0

    27 May 2026

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  13. #NGINX CVE-2026-42945 #Exploited in the Wild, Causing #WorkerCrashes and Possible #RCE https://t.co/IPQBkmqrIB

    @miguelcarvajalm

    25 May 2026

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. NGINX の深刻な RCE 脆弱性 CVE-2026-42945:公開直後から実環境での悪用を確認 https://t.co/RCLSofJSxR 今回の NGINX の脆弱性 CVE-2026-42945 は、ヒープバッファ・オーバーフローというプログラムの不具合が原因となってい

    @iototsecnews

    25 May 2026

    91 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Recent exploits: Critical NGINX vulnerability (CVE-2026-42945) active. Also, TLS backends allowing rogue CA cert loading (CVE-2026-8723) & Google API keys lingering post-deletion threaten data integrity in transit. #Cybersecurity #News #Vulnerabilities

    @YourAnon_irc

    24 May 2026

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🚨 CRITICAL NGINX FLAW! An 18-year-old bug 'NGINX Rift' (CVE-2026-42945) is actively exploited for DoS & RCE. Affects millions of web servers. Patch immediately! #NGINX #CVE #Infosec #PatchNow 🌐 cyber[.]netsecops[.]io https://t.co/YLqgqNVbyF

    @NetSecIO

    24 May 2026

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. #躺着打工 CVE-2026-42945 毁了我的周末。

    @ieasterfan

    24 May 2026

    115 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. NEW THREAT INTEL: CVE-2026-9256 Nginx-poolslip - Pre-auth heap overflow, bypasses CVE-2026-42945 patch. 9 detections, 15 IOCs. https://t.co/HThqQ69S36 #ThreatIntel #NGINX https://t.co/y7pFDfXADo

    @threadlinqs

    23 May 2026

    78 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. Top 5 Trending CVEs: 1 - CVE-2026-42945 2 - CVE-2026-46333 3 - CVE-2026-9082 4 - CVE-2026-31431 5 - CVE-2025-34291 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    22 May 2026

    267 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. ⚠️CVE-2026-42945: RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module introduced in 2008 GitHub: https://t.co/4hnYDzPM0b https://t.co/wtz8Kt74G5

    @Anastasis_King

    22 May 2026

    2427 Impressions

    10 Retweets

    42 Likes

    18 Bookmarks

    0 Replies

    0 Quotes

  21. Top 5 Trending CVEs: 1 - CVE-2026-42945 2 - CVE-2026-46333 3 - CVE-2026-0265 4 - CVE-2020-2033 5 - CVE-2026-33278 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    21 May 2026

    145 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 1/ lagi iseng googling nginx, eh malah nemuin berita ada 2 CVE critical baru 😅 CVE-2026-42945 (NGINX Rift) & CVE-2026-8711 keduanya CVSS 9.2 — alias critical langsung cek server production 🧵

    @r00teen

    21 May 2026

    57 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    2 Replies

    0 Quotes

  23. NGINX の深刻な脆弱性 CVE-2026-42945 が FIX:RCE と PoC の登場 https://t.co/qXmiTPEh6J 今回の脆弱性 CVE-2026-42945 は、NGINX の内部で行われる 2段階の処理プロセスにおける “状態の不整合” が原因で発生しています。第 1段

    @iototsecnews

    21 May 2026

    90 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. NGINX njs の CVE-2026-8711(CVSS 9.2)を解説 同日公開の NGINX Rift(CVE-2026-42945)と比較すると影響範囲の違いが重要です。 ・影響は 3 条件が AND で揃った場合のみ ・修正版: njs 0.9.9 以降へ更新 ・NGINX Rift(PoC 公開・

    @MyTechBlogJP

    20 May 2026

    115 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. مجدد برای نسخه های اخر nginx 1.31.0 آسیب پذیری منتشر شده. CVE بحرانی RCE. 😑 لعنت به باعث و بانی قطع اینترنت با این همه آسیب پذیری غیر قابل اپدیت. CVE-2026-42945

    @Agent15A

    20 May 2026

    153 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  26. CVE-2026-42945 "NGINX Rift" ثغرة heap buffer overflow في ngx_http_rewrite_module موجودة منذ 2008 وتصيب كل إصدارات NGINX حتى 1.30.0. مهاجم غير مصادق يمكنه RCE عبر طلب HTTP واحد. CVSS 9.2 Critical. اكتشفها نظام

    @KasperskyDev

    20 May 2026

    105 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  27. CVE-2026-42945: ‼️🚨 MAJOR IMPACT: The 18-year-old NGINX critical RCE vulnerability "NGINX Rift" (CVE-2026-42945) now WORKS with ASLR turned ON. PoC code with the ASLR bypass has just been published on GitHub.

    @lyrie_ai

    20 May 2026

    107 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  28. NGINXの脆弱性:18年前から存在する重大な欠陥CVE-2026-42945が悪用され、サーバーがクラッシュする事態が発生 NGINX Rift: Critical 18-Year-Old Flaw CVE-2026-42945 Actively Exploited to Crash Servers #DailyCyberSecurity (May 19) https://t.co/

    @foxbook

    20 May 2026

    253 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  29. CVE-2026-42945: CVE-2026-42945 ⚠️ NGINX – Heap Overflow / Possible RCE Actively Exploited in the Wild (CVSS 9.2) A heap-based buffer overflow in ngxhttprewritemodule affects NGINX Open Source and NGINX Plus ≤1.30.0. Crafted HTTP requests can trigger worker crashes and…

    @lyrie_ai

    20 May 2026

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  30. CVE-2026-42945: Critical 18-year-old "NGINX Rift" flaw CVE-2026-42945 is under active exploitation. Learn how to patch your proxies and block the unauthenticated heap overflow #NGINXRift #CVE202642945 #Infosec2026 #WebSecurity #SysAdmin #DevSecOps #AppSec #BufferOverflow…

    @lyrie_ai

    20 May 2026

    158 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  31. CVE-2026-42945. Source: X search for RCE 2026 exploit Posted: 2026-05-18T10:18:43.000Z Likes: 296

    @lyrie_ai

    20 May 2026

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  32. CVE-2026-42945. 0day Intel: Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 https:

    @lyrie_ai

    19 May 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  33. nginx CVE-2026-42945 no. you _do not have to_ upgrade. only if you use rewrite+set directives and/or run shared hosting. another cve being used by infosec to satisfy their adhd. https://t.co/80I6nGUwuc

    @bubble_email

    19 May 2026

    27 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  34. Top 5 Trending CVEs: 1 - CVE-2026-2276 2 - CVE-2026-42945 3 - CVE-2026-20182 4 - CVE-2026-40369 5 - CVE-2026-29205 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    19 May 2026

    140 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  35. 📌 استغلال ثغرة NGINX CVE-2026-42945 في البرية، مما يؤدي إلى تعطل العاملين واحتمالية تنفيذ الأوامر عن بعد 🛡️ الفئة: ثغرة 📝 الملخص: تم استغلال ثغرة أمان حديثة في

    @GMashari

    19 May 2026

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. NGINX Rift: Critical 18-Year-Old Flaw CVE-2026-42945 Actively Exploited to Crash Servers https://t.co/c8OBGs9dcT The post NGINX Rift: Critical 18-Year-Old Flaw CVE-2026-42945 Actively Exploited to Crash Servers appeared first on Daily CyberSecurity. Related posts: 30-Year-Ol

    @f1tym1

    19 May 2026

    68 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. 🚨 Critical NGINX flaw is now being actively exploited — attackers are weaponizing CVE-2026-42945 just days after disclosure, putting millions of exposed servers at immediate risk 👇 #aiz_cyber #CVE #ThreatIntel https://t.co/wJcfDOzqaK

    @Aiz_Cyber

    19 May 2026

    66 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  38. 【NGINX CVE-2026-42945、公開直後に悪用観測】 NGINXのngx_http_rewrite_moduleに関するCVE-2026-42945が、攻撃者に悪用されていると報じられています。特定のrewrite設定条件下でヒープバッファオーバーフローが発生し、ワ

    @01ra66it

    19 May 2026

    193 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  39. Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945) https://t.co/yxCIMMPPBm

    @ninp0

    19 May 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. Linode: Critical NGINX heap overflow CVE-2026-42945 — patch now If you run NGINX on Linode instances or in images you deploy on Linode, CVE-2026-42945 is a critical heap buffer overflow that places unpatched deployments at elevated risk —… Read more → https://t.co/CrNQa

    @changewatchdev

    18 May 2026

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. Legacy exposure keeps paying off for attackers. CVE-2026-42945 makes NGINX rewrite chains a live patch pr… CVE-2026-42945 is now being exploited against NGINX. Patch exposed rewrite-based deployment… 🔗 Read → https://t.co/kMqpwbgPjZ

    @fynn_JourX

    18 May 2026

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. 🚨 NGINX Rift (CVE-2026-42945) Kritik Açığı Aktif Olarak İstismar Ediliyor 📅 18 Mayıs 2026 · 16:29 (TR) Siber saldırganlar, geçtiğimiz hafta ortaya çıkan ve NGINX Rift olarak adlandırılan kritik bir güvenlik açığını (CVE-2026-42945) aktif olarak sömür

    @TheNetworkGhost

    18 May 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945): A critical NGINX vulnerability (CVE-2026-42945) disclosed last week is being exploited by attackers, VulnCheck security researcher Patrick Garrity revealed on Saturday. The… https://t.co/bioaZIgF4K https://

    @shah_sheikh

    18 May 2026

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. NGINX CVE-2026-42945 Exploited in Wild 1/2 NGINX CVE-2026-42945 CVSS 9.2, actively exploited in the wild. Heap buffer overflow in ngx_http_rewrite_module, introduced in 2008. Affects versions 0.6.27 through 1.30.0. Unauthenticated attacker can crash worker processes or achieve

    @ElusivePrivacy

    18 May 2026

    72 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  45. Nginx RIFT (CVE-2026-42945) : comprendre la faille vieille de 18 ans https://t.co/K5TT4NTlEA

    @HumanCodersNews

    18 May 2026

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. For defenders, cve-2026-42945 makes nginx rewrite chains a live patch priority should move fast. CVE-2026-42945 is now being exploited against NGINX. Patch exposed rewrite-based deployment… 🔗 Details → https://t.co/hlyJuCo0XN

    @SocXAInvaders

    18 May 2026

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. 🛑 CVE-2026-42945 makes NGINX rewrite chains a live patch priority CVE-2026-42945 is now being exploited against NGINX. Patch exposed rewrite-based deployment… 🔗 Details → https://t.co/ObgIX9uBop

    @lucasverdan

    18 May 2026

    67 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. يحذر الخبراء من استغلال نشط للثغرة الحرجة في NGINX التي تحمل الرمز CVE-2026-42945. Experts are issuing warnings about the active exploitation of a critical flaw in NGINX, identified as CVE-2026-42945. https://t.co/2uEo2E1b3W #NG

    @fad_777

    18 May 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 https://t.co/2m9hAYJWqn

    @ohhara_shiojiri

    18 May 2026

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 🚨 CVE-2026-42945: NGINX heap buffer overflow exploited in the wild. Affected: NGINX Open Source 0.6.27–1.30.0 ✅ Upgrade to 1.30.1, 1.31.0, or later. https://t.co/MAJHUMQaR8 #NGINX #CVE #RCE #CyberSecurity #Vulert

    @vulert_official

    18 May 2026

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.CVE-2026-47333
  2. Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.CVE-2026-47331
  3. In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.CVE-2026-46300
  4. Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.CVE-2026-29518
  5. NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.CVE-2026-33278

References

Sources include official advisories and independent security research.