Active in-the-wild exploitation of CVE-2026-42945 — a critical heap buffer overflow in NGINX’s rewrite module with a CVSS score of 9.2 — was confirmed by VulnCheck researchers within days of F5 releasing patches. The flaw affects both NGINX Plus and NGINX Open Source and went undetected for 16 years before patches were issued. Approximately 5.7 million internet-exposed NGINX servers run potentially vulnerable versions, though the truly exploitable subset is smaller due to configuration requirements.
CVE-2026-42945 Flaw in NGINX’s Rewrite Module Went Undetected for 16 Years
CVE-2026-42945 is a heap buffer overflow in NGINX’s ngx_http_rewrite_module, the component responsible for processing URL rewrite rules. The vulnerability is present in both NGINX Plus and NGINX Open Source — the two main distribution variants of the world’s most widely deployed web server — and existed undetected for 16 years before F5 issued patches.
F5 acquired NGINX in 2019 and serves as the commercial maintainer of the platform. Patches for CVE-2026-42945 became available from F5, though the speed with which exploitation followed the patch release indicates attackers had already developed working attack code — or moved quickly once a public technical writeup became available.
How the Two-Pass Script Engine Flaw Enables Heap Overflow via Crafted HTTP Requests
The vulnerability stems from a flaw in a two-pass processing approach within NGINX’s rewrite engine. During the first pass, the engine calculates the buffer size needed to process a rewrite rule. During the second pass, it copies data into that buffer. An internal state change that occurs between the two passes means the buffer size calculated in the first pass no longer accurately reflects the amount of data copied in the second, allowing attacker-supplied data to be written beyond heap boundaries.
Exploitation requires no authentication. Crafted HTTP requests are sufficient to trigger the out-of-bounds write against any unpatched NGINX instance accessible from the network. The no-authentication requirement significantly expands the attack surface, as there is no credential barrier between the attacker and the vulnerable code path.
Active Exploitation Confirmed by VulnCheck Within Days of F5’s Patch Release
Exploitation began within days of F5 releasing patches, driven by a public technical write-up and proof-of-concept code released by Depthfirst. VulnCheck researchers confirmed the in-the-wild exploitation after tracking attacker activity targeting unpatched servers.
The speed from patch publication to confirmed exploitation is consistent with the pattern seen when high-CVSS vulnerabilities in widely deployed infrastructure receive public PoC coverage. Attackers routinely scan for unpatched instances within hours of a public technical write-up, and the 5.7 million exposed NGINX servers represent a large target pool.
DoS by Default, RCE When ASLR Disabled: The Two Exploitation Outcomes for CVE-2026-42945
Exploitation does not produce the same result across all deployments. On default NGINX configurations, successful exploitation triggers a server restart — a denial of service that disrupts availability but does not give the attacker code execution. On systems where address space layout randomization is disabled, the same heap overflow is exploitable for remote code execution, allowing the attacker to run arbitrary commands on the server.
The exploitable subset of the 5.7 million exposed servers is therefore defined in part by ASLR configuration. Default Linux server configurations enable ASLR, making pure RCE harder to achieve in most environments. However, denial-of-service capability alone is sufficient for disruptive attacks against public-facing infrastructure, and ASLR-disabled configurations are present in some embedded and specialized deployment environments where NGINX is used.
