Full Report
A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the
Analysis Summary
# Vulnerability: NGINX Heap Buffer Overflow in Rewrite Module
## CVE Details
- **CVE ID:** CVE-2026-42945
- **CVSS Score:** 9.2 (Critical)
- **CWE:** CWE-122 (Heap-based Buffer Overflow)
## Affected Systems
- **Products:** NGINX Plus, NGINX Open Source
- **Versions:** 0.6.27 through 1.30.0
- **Configurations:** Systems utilizing the `ngx_http_rewrite_module`. Vulnerability is specifically sensitive to certain NGINX configurations and is highly dependent on whether Address Space Layout Randomization (ASLR) is enabled on the host OS.
## Vulnerability Description
A heap buffer overflow exists within the `ngx_http_rewrite_module`. The flaw, which dates back to code introduced in 2008, can be triggered by processing crafted HTTP requests. This memory corruption allows an unauthenticated attacker to cause the NGINX worker processes to crash, resulting in a Denial of Service (DoS), or potentially achieve Remote Code Execution (RCE).
## Exploitation
- **Status:** Exploited in the wild (Detected by VulnCheck honeypots)
- **Complexity:** Medium to High (RCE requires ASLR to be disabled and knowledge of specific target configurations)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (If RCE is achieved)
- **Integrity:** High (If RCE is achieved)
- **Availability:** High (Worker process crashes/DoS)
## Remediation
### Patches
- Users are advised to upgrade to the latest versions provided by F5/NGINX. Consult official vendor advisories for the specific patched version numbers for your branch (e.g., Mainline vs. Stable).
- OS distribution maintainers (such as AlmaLinux) have begun releasing updated packages.
### Workarounds
- **Enable ASLR:** Ensure Address Space Layout Randomization is enabled at the OS level to mitigate the risk of reliable Remote Code Execution.
- **Configuration Review:** Monitor and restrict the use of complex rewrite rules if immediate patching is not possible, though patching remains the primary recommendation.
## Detection
- **Indicators of Compromise:** Unusual NGINX worker process crashes or restarts (coredumps).
- **Detection Methods:** Monitor HTTP logs for anomalous or malformed requests targeting rewrite module logic. Security teams should deploy signatures for heap overflow patterns in web application firewalls (WAFs).
## References
- [https://thehackernews\[.\]com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html]
- [https://almalinux\[.\]org/blog/2026-05-13-nginx-rift-cve-2026-42945/]
- [https://github\[.\]com/advisories/GHSA-mg2w-x76x-59h8] (Related openDCIM advisory)