Egregoros

CVE-2026-34486 - Tomcat

- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.

CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)

It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.

The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.

I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.

@GossiTheDog
>It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it.
You can just scan the whole Internet with this. The attacker doesn't need to know the configuration.

>The PoC they've built specifically disabled ASLR
Doesn't really matter either. Randomization so far always was just another fence to jump over. It makes exploitation harder, not impossible.

Regarding CVE-2026-42945 in nginx - no modern (or even old) Linux distribution runs nginx without ASLR.

The way the PoC exploit works is they spawn nginx like this:

> exec setarch x86_64 -R /nginx-src/build/nginx -p /app -c /app/nginx.conf

Setarch -R disables ASLR. I've had a look through Github and I can't find any other software which actually does this for nginx either.

So, cool, sweet technical vuln - it's valid - but the RCE apocalypse ain't coming.

@GossiTheDog why do people keep pretending ASLR is impenetrable? Malware authors have been bypassing it for *decades*. And not all ASLR is equal.

> The Linux kernel 5.18 released May 2022 reduced the effectiveness of both 32-bit and 64-bit implementations.

> For 64-bit Linux, the 28 bits of entropy is reduced to 19 bits.

OOPS