Kevin BeaumontThere's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
CVE-2026-34486 - Tomcat
- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
Regarding CVE-2026-42945 in nginx - no modern (or even old) Linux distribution runs nginx without ASLR.
The way the PoC exploit works is they spawn nginx like this:
> exec setarch x86_64 -R /nginx-src/build/nginx -p /app -c /app/nginx.conf
Setarch -R disables ASLR. I've had a look through Github and I can't find any other software which actually does this for nginx either.
So, cool, sweet technical vuln - it's valid - but the RCE apocalypse ain't coming.
SaThaRiel 
@GossiTheDog If I got it right, they have a working PoC for ASLR enabled systems, but holding it back. Sure it requires more (probably a lot more) requests for success, but seems possible.
Or, like with many of the exploits today, its just a marketing stunt. Sadly you never know.
Fellows@GossiTheDog plus, don’t they need to know exactly which rewrite url to request from the server that would actually trip the vuln?
floyd aka floyd_ch@GossiTheDog hmm, depends on how good the ASLR is, I can tell you a couple of years ago it was quite bad on certain platforms, so with a systemd restarting nginx service you get a lot of tries over time (although of course nginx logs will scream) and that was enough to brute force ASLR (actually just retrying until that byte random matched what was in the exploit). I'm not deep enough into modern 64bit ASLR, I just remember the one on ARM being bad. Still niche probably