CVE-2026-42945: NGINX Rewrite Module Heap Overflow Enables RCE

Overview of the 18-Year-Old NGINX Vulnerability

Security researchers have identified a critical security flaw residing in the core logic of the NGINX rewrite module, a component used by millions of web servers worldwide. This CVE, designated as CVE-2026-42945, is a heap buffer overflow vulnerability that has existed within the codebase for 18 years. The discovery, credited to the researcher known as depthfirst, highlights the persistence of legacy bugs in even the most widely scrutinized open-source projects.

According to The Hacker News, the flaw impacts both NGINX Open Source and NGINX Plus. The vulnerability carries a CVSS v4 score of 9.2, reflecting its potential for unauthenticated RCE. Because NGINX often sits at the edge of the network acting as a reverse proxy or load balancer, exploitation of this module could grant an attacker an immediate foothold inside a protected network perimeter.

Technical Analysis of the NGINX Rewrite Module Vulnerability

The vulnerability exists within the ngx_http_rewrite_module, which is responsible for changing the request URI using regular expressions and return directives. The heap overflow occurs during the processing of specifically crafted rewrite rules, particularly when the module handles complex variable captures and substitutions. When a server configuration utilizes these rewrite directives to process user-supplied input or URI components, an attacker can provide a malformed request that triggers an out-of-bounds write in the heap memory.

From a MITRE ATT&CK perspective, this vulnerability aligns with ‘Exploitation for Client Execution’ (T1203). Successful exploitation allows an attacker to overwrite adjacent memory structures, potentially leading to the execution of arbitrary code with the privileges of the NGINX worker process. While NGINX often runs worker processes with limited privileges, an attacker achieving code execution can subsequently attempt Privilege Escalation to gain root access to the underlying host.

How to Detect CVE-2026-42945 Exploit Patterns

Identifying attempts to exploit this vulnerability requires a combination of configuration auditing and active monitoring. Security teams should prioritize analyzing their nginx.conf files for complex rewrite rules that interact with variables like $request_uri or $args. Defenders must integrate specific IoC patterns into their SIEM and SOC workflows to monitor for anomalous URI lengths or unexpected characters that might signify a buffer overflow attempt.

Advanced detection strategies involve monitoring for worker process crashes, which may indicate failed exploitation attempts resulting in a DDoS through service instability. If an EDR solution is present on the web server, it should be configured to alert on unexpected child processes spawned by the NGINX worker, as this is a primary indicator of successful RCE.

NGINX Open Source RCE Mitigation Steps

The primary remediation for this vulnerability is the immediate application of security patches provided by F5 (the parent company of NGINX). Organizations must ensure they are running the most recent stable or mainline versions where this flaw has been addressed. For environments where immediate patching is not feasible, the following NGINX Open Source RCE mitigation steps should be considered:

• Audit Rewrite Rules: Review all rewrite, if, and set directives within the NGINX configuration. Simplify or remove rules that perform complex regular expression matching on untrusted URI components.
• Implement WAF Rules: Deploy Web Application Firewall rules designed to inspect and limit the length and complexity of URIs and request parameters before they reach the NGINX rewrite engine.
• Restrict Worker Privileges: Verify that NGINX worker processes are running under a dedicated, non-privileged user account to limit the blast radius of a potential compromise.

Given the ubiquity of NGINX in modern infrastructure, including Kubernetes Ingress controllers and Cloud Security gateways, the discovery of a nearly two-decade-old critical flaw serves as a reminder of the necessity for continuous security auditing and Zero Trust architecture implementation.