NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
A critical heap buffer overflow in NGINX is under active exploitation, prompting urgent warnings for administrators to patch the affected rewrite module.
A critical heap buffer overflow vulnerability in NGINX, tracked as CVE-2026-42945, is currently being exploited in the wild. The flaw resides within the `ngx_http_rewrite_module` and impacts NGINX Plus and NGINX Open source versions ranging from 0.6.27 through 1.30.0. With a CVSS score of 9.2, the vulnerability poses a significant risk, potentially leading to worker process crashes or remote code execution (RCE).
Security researchers at VulnCheck identified active exploitation of the flaw shortly after its public disclosure. The vulnerability is triggered when the rewrite module processes specifically crafted HTTP requests, causing memory corruption that attackers can leverage to disrupt service availability or execute arbitrary code on the underlying server. Given the widespread use of NGINX as a web server, reverse proxy, and load balancer, the potential attack surface is vast.
Organizations running affected versions of NGINX are urged to prioritize patching or applying vendor-recommended mitigations immediately. While the vulnerability is being actively targeted, administrators should also monitor server logs for anomalous request patterns that might indicate exploitation attempts. The rapid transition from disclosure to active exploitation underscores the necessity for swift patch management cycles in critical infrastructure components.
This incident follows a broader pattern of high-severity vulnerabilities being discovered in long-standing, foundational web server software. As attackers continue to focus on foundational components of the internet stack, the speed at which security teams can identify and remediate such flaws remains a primary determinant in preventing widespread service disruption or data compromise. The Hacker News
The disclosure now includes full technical details of the heap buffer overflow in ngx_http_rewrite_module, which depthfirst researchers have named NGINX Rift. The flaw, present for 18 years, allows unauthenticated remote code execution when ASLR is disabled and can be triggered by a single crafted HTTP request. F5 has released patches for NGINX Plus R32 P6 and R36 P4, as well as Open Source versions 1.30.1 and 1.31.0, while also fixing three additional vulnerabilities (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) affecting SCGI/uWSGI memory allocation, SSL use-after-free, and charset out-of-bounds read.