How Orca Traced an nginx Flaw to 1.45 Million Tengine Servers
How Orca Traced an nginx Flaw to 1.45 Million Tengine Servers
While the rest of the industry was busy patching nginx, Orca’s Threat Research Team was asking a different question, and the answer led us straight to Tengine. Tengine, Alibaba’s nginx fork, is deployed on 1.45 million internet-facing servers worldwide and carries the exact same vulnerable code behind CVE-2026-42945 and CVE-2026-9256. These CVEs are two heap buffer overflows that let an unauthenticated attacker crash a Tengine worker process with a single crafted HTTP request. These vulnerabilities were untouched, unpatched, and almost completely unmonitored for nearly two decades. We’re talking CDN edges, reverse proxies, and the Aliyun and Taobao infrastructure that fronts an enormous chunk of the internet.
The two CVEs we started with are both heap buffer overflows in nginx’s rewrite engine, same source file (ngx_http_script.c), same function family, two different bugs. CVE-2026-42945 (“NGINX Rift”) has a CVSS (v4) of 9.2. A stale is_args flag leaks between chained rewrite rules, causing the length-calculation pass and the write pass to disagree about buffer size. This was fixed in nginx 1.30.1 / 1.31.0 on May 13, 2026. CVE-2026-9256 (“nginx-poolslip”) also has a CVSS (v4) of 9.2. Overlapping PCRE captures cause URI-escape overhead to be counted once during sizing but written twice. This was fixed in nginx 1.30.2 / 1.31.1 on May 22, 2026, and upgrading to 1.30.1 to patch the first CVE leaves you exposed to the second. Eighteen years in the wild, both are unauthenticated and triggered by a single crafted HTTP request. We pulled Tengine 3.1.0 from source. It’s based on nginx 1.24.0 - well behind the patched versions and carrying both bugs untouched in two functions in ngx_http_script.c: ngx_http_script_regex_start_code() (CVE-2026-9256) and ngx_http_script_regex_end_code() (CVE-2026-42945).
To confirm both bugs were actually exploitable in Tengine 3.1.0, not just present in the code, we built a controlled test environment and ran the attacks end-to-end. Tengine 3.1.0 was compiled from source with AddressSanitizer (-fsanitize=address) in a Docker container. For CVE-2026-9256 (/vuln/, overlapping captures, 900 + chars), the worker crashed and its PID changed from 7 to 47 as the master respawned a fresh worker. The ASAN output reported a heap-buffer-overflow on address 0xffff9ba205d0, specifically a WRITE of size 1 at that address in ngx_escape_uri, called by ngx_http_script_copy_capture_code and ngx_http_rewrite_handler. The address 0xffff9ba205d0 was located 0 bytes to the right of a 4304-byte region. For CVE-2026-42945 (/rift/, chained rewrites, 3200 A + 900 + chars), the worker also crashed and its PID changed from 47 to 102. The ASAN output reported a heap-buffer-overflow on address 0xffff9ba1c91c, specifically a WRITE of size 1 at that address in ngx_escape_uri, called by ngx_http_script_copy_capture_code. When Orca began this research, no patch, no commit, and no acknowledgment of these vulnerabilities from Tengine’s maintainers existed. As of June 10, 2026, both CVEs have been fixed in the main branch, with a patched release (Tengine 3.2.0) targeted for June 30, 2026. Recommended mitigation steps are included at the end of this blog.