18-Year-Old NGINX Bug CVE-2026-42945 Under Active Attack

On May 17, 2026, VulnCheck confirmed active exploitation attempts targeting CVE-2026-42945, a heap buffer overflow that remained latent for nearly 18 years within the NGINX rewrite module. The flaw, introduced in 2008 and disclosed on May 14, allows unauthenticated attackers to crash worker processes with a single, specially crafted HTTP request. While F5 has issued patches, the ubiquity of rewrite configurations across web servers has shifted the focus from simple updates to the broader management of critical infrastructure technical debt.

Deconstructing the Overflow: How a Crafted Request Topples Workers

The vulnerability resides specifically within the ngx_http_rewrite_module. According to the F5 advisory, the issue is triggered when a rewrite directive is followed by additional rewrite, if, or set directives, and utilizes unnamed Perl-Compatible Regular Expression (PCRE) captures (such as $1, $2) with a replacement string containing a '?'. Under these specific conditions, the module's parsing logic fails to respect heap buffer boundaries, resulting in an overflow.

Analysis from depthfirst indicates that the vulnerability is reachable without any form of authentication. An attacker only needs the ability to reach the server via HTTP. The criticality is amplified by the flaw's longevity: the vulnerable code was introduced in 2008, making this one of the longest-standing bugs discovered in a core component of modern web infrastructure. Affected versions span nearly two decades of releases, from 0.6.27 up to 1.30.0.

"An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution" — depthfirst

The actual scope of the threat depends on the specific server configuration. While not every NGINX installation exposes the rewrite module in this precise manner, where the conditions are met, exploitability is direct and requires only a single network transaction.

RCE vs. DoS: ASLR as the Critical Barrier

Despite the structural severity of the buffer overflow, the transition from a process crash to remote code execution is not guaranteed across all platforms. The F5 advisory specifies that code execution is achievable on systems where Address Space Layout Randomization (ASLR) is inactive. Security researcher Kevin Beaumont noted that for RCE to be viable, an attacker typically needs to target a machine where ASLR has been disabled.

This distinction is vital for risk assessment. Maintainers of AlmaLinux pointed out that on systems with active ASLR—the default configuration for all supported releases of the distribution—producing a reliable, generic exploit is unlikely. However, DoS remains a significant and immediate threat: the crashing of worker processes can trigger a loop that renders services unavailable, impacting hosting providers and mission-critical applications alike.

Legacy installations, containers with reduced hardening, or embedded environments where ASLR is disabled for compatibility reasons remain high-risk targets for RCE. While there are currently no public confirmations that in-the-wild exploits have achieved code execution on production systems, the theoretical condition is documented and verified.

Honeypots Trigger: First In-the-Wild Exploits Detected

VulnCheck’s confirmation has moved CVE-2026-42945 from a theoretical vulnerability to an active operational threat. The threat intelligence firm began detecting exploitation attempts across its honeypot networks on May 17, 2026. This rapid escalation following the May 14 disclosure suggests that threat actors moved quickly to capitalize on the massive exposure window.

The speed at which offensive actors moved into the practice phase is unsurprising to threat intelligence professionals, yet it creates a tight timeline for security teams. Only three days elapsed between disclosure and the first logged exploits. This window, though narrow, is sufficient for actors with automated scanning infrastructures to mass-test internet-facing surfaces.

Several parameters of this activity remain unknown. It is not yet clear if the detected exploits resulted in successful compromises or were merely part of initial scanning and reconnaissance. Information regarding specific sectors, geographies, or targets is currently unavailable. Furthermore, there has been no public release of a Proof-of-Concept (PoC) for RCE, which limits a full understanding of the campaign’s current capabilities.

Remediation and Response Strategies

Responding to this emergency requires prioritized technical action. Infrastructure operators are advised to follow these four steps:

Deploy updates immediately. F5 has issued distinct fixes for both commercial and open-source branches. For NGINX Plus, the corrected versions are R32 P6 and R36 P4. For NGINX Open Source, the fixed releases are 1.30.1 and 1.31.0. Patching is the only definitive countermeasure, as it remediates the buffer handling logic within the rewrite module.

Audit configurations. Administrators should identify the use of rewrite directives followed by if, set, or other rewrite rules that use unnamed PCRE captures ($1, $2) and replacement strings containing '?'. While configuration management and automated audit tools can accelerate this process, it should not be considered a final mitigation. As long as the binary remains unpatched, the vulnerable parser remains in memory.

Enforce ASLR. On Linux systems, verify that Address Space Layout Randomization is enabled at the kernel level. While this does not prevent DoS—as the worker process will still crash—it significantly raises the barrier for remote code execution on standard physical and virtual servers.

Monitor worker crashes. Even failed RCE attempts will cause a worker process crash. Monitoring NGINX error logs and core dumps for anomalous segmentation faults immediately following external HTTP requests is a critical indicator of an active attack attempt.

The resurgence of a bug from 2008 illustrates that attack surfaces are defined not just by new code, but by forgotten architectural choices. For enterprises managing large-scale web infrastructure, CVE-2026-42945 is more than a patching alert; it is a reminder that security technical debt in stable servers can spontaneously transform into an active threat. The speed of detection by VulnCheck, combined with the relative simplicity of the attack, necessitates an urgent audit of all assets, not just high-profile perimeter systems.

Frequently Asked Questions

Is my installation vulnerable if I don't explicitly use the rewrite module?
No. The bug is only triggered by a specific configuration involving rewrite directives with unnamed PCRE captures and replacement strings containing '?'. If your server does not utilize this combination, the flaw cannot be triggered externally, even if the vulnerable code exists in the binary.

Is updating NGINX sufficient, or must I also change my configuration?
The patches released by F5 address the buffer management at the code level. Installing the fixed version resolves the vulnerability. While reviewing rewrite rules is a good hardening practice, it is not a substitute for patching the binary.

Why did this bug remain hidden for 18 years?
The trigger condition is highly specific—requiring a precise pattern of unnamed PCRE captures and '?' characters in certain rewrite contexts. This specificity allowed the defect to remain latent for nearly two decades until recent analysis mapped the exact path to the overflow, leading to the disclosure on May 14, 2026.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html
• https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.html
• https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html
• https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html