There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing.
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
-
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
@GossiTheDog I'd be willing to bet that if they paid real humans the same amount of money as the true cost of running the LLM, they'd find more and better bugs.
-
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
@GossiTheDog but but but, how else am I supposed to market magic box triage-as-a-service
-
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
@GossiTheDog and that's why I'm here. Thanx for keeping us calm.
-
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
@GossiTheDog ... also never turn off ASLR! Why would someone do that nowadays!?
-
@0xtero @GossiTheDog Meanwhile
1. AI coding agents are one of the factors contributing to shorter intervals between “vulnerability discovery” and “working exploit”
2. Orgs can’t be bothered to patch known vulnerabilities in a timely fashion so a huge proportion of cyberattacks and their associated damage are down to bugs that have been known about (and left unpatched) for half a year or more
@MisuseCase @GossiTheDog For sure. But the "from vuln to exploitation" trend has been clear downward slope for years now. (https://zerodayclock.com/). We're seeing a high volume of vulns and bugs, but I feel lot of it ends up being low, medium severity, because it's hard to exploit in real conditions. Fixing these vulns is good - but the marketing messages don't quite map to reality I feel (when do they ever..)
-
@GossiTheDog
(except fewer)@wdormann @GossiTheDog
I love this show and that scene so much lol -
@MisuseCase @GossiTheDog For sure. But the "from vuln to exploitation" trend has been clear downward slope for years now. (https://zerodayclock.com/). We're seeing a high volume of vulns and bugs, but I feel lot of it ends up being low, medium severity, because it's hard to exploit in real conditions. Fixing these vulns is good - but the marketing messages don't quite map to reality I feel (when do they ever..)
@0xtero @GossiTheDog I know about the zero day clock and part of the reason it looks like that is that people who have some idea what they’re doing (not script kiddies, though that may change) can use AI coding agents to develop exploits faster than they would otherwise.
So that part is real, or uncomfortably close to it.
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
@GossiTheDog this particular defect-leading-to-vulnerability according to F5 can be mitigated by using named parameters instead of numbered in the rewrite regex replace expressions.
I don't think the conditions that expose the issue are too terribly unusual as this is the sort of thing that would be done if one wanted to, say, wrap an older HTTP API with semantics that use path parameters.
The defect also impacts the NginX Kubernetes Ingress Controller.
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
> Theoretically, we could leverage this design to leak ASLR by progressively overwriting pointers byte by byte. In this post, we discuss the exploitation technique assuming ASLR has already been bypassed.
Based on that ASLR is "just" a nuisance and not an actual show stopper
https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
-
> Theoretically, we could leverage this design to leak ASLR by progressively overwriting pointers byte by byte. In this post, we discuss the exploitation technique assuming ASLR has already been bypassed.
Based on that ASLR is "just" a nuisance and not an actual show stopper
https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
@ePD5qRxX prove it
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
@GossiTheDog could this one be related to the Palo Alto captive portal authentication ?
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
@GossiTheDog
>It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it.
You can just scan the whole Internet with this. The attacker doesn't need to know the configuration.
>The PoC they've built specifically disabled ASLR
Doesn't really matter either. Randomization so far always was just another fence to jump over. It makes exploitation harder, not impossible. -
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
@GossiTheDog Copy Fail and Dirty Frag are pretty serious.
-
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
@GossiTheDog
Good thread o7
More bugs found is good but bugs are found and fixed everyday without much spectacle -
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
@GossiTheDog All this feels like a good demonstration of the statement that AI companies tend to have little in the way of a moat. So you have cookie-cutter LLM-linter startups trying to stand out from the vast ocean of cookie-cutter AI startups by dropping a "0day RCE", no matter how silly, with maximum splash.
-
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
@GossiTheDog I spent way too long figuring out how I needed to respond and now I'm annoyed at these vendors.
Admittedly I've been annoyed at these vendors for a while, it's one thing to use AI to discover vulns and another thing to use AI to create terrible writeups that are wasting everyone's time (this was an issue with CopyFail too)
If every slop receiver could bill the slop sender for the extra time taken trying to parse this stuff I think companies would think a lot harder before sending slop out
-
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
Regarding CVE-2026-42945 in nginx - no modern (or even old) Linux distribution runs nginx without ASLR.
The way the PoC exploit works is they spawn nginx like this:
> exec setarch x86_64 -R /nginx-src/build/nginx -p /app -c /app/nginx.conf
Setarch -R disables ASLR. I've had a look through Github and I can't find any other software which actually does this for nginx either.
So, cool, sweet technical vuln - it's valid - but the RCE apocalypse ain't coming.
-
K kramse@helvede.net shared this topic
