Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945

A critical NGINX flaw (CVE-2026-42945) is actively exploited, allowing crashes or possible code execution via malicious HTTP requests.

A critical vulnerability in NGINX Plus and NGINX Open, tracked as CVE-2026-42945 (CVSS v4 score of 9.2), is already being actively exploited shortly after disclosure.

“We’re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published.” reported VulnCheck.

Last week, security researchers at depthfirst disclosed the critical heap buffer overflow vulnerability CVE-2026-42945 that impacts both NGINX Plus and NGINX Open Source. The flaw carries the name NGINX Rift, and its implications extend well beyond a routine patch cycle.

NGINX powers a substantial share of the public internet, reverse proxies, load balancers, ingress controllers, application delivery platforms, making the attack surface here unusually broad. The vulnerability lives in ngx_http_rewrite_module, a component included in every standard NGINX build, and the trigger is a configuration pattern common enough that a significant portion of real-world deployments may be affected without anyone knowing it.

The root of the problem lies in how NGINX handles rewrite directives that combine unnamed PCRE capture groups, the familiar $1, $2 syntax, with a replacement string containing a question mark, when followed by another rewrite, if, or set directive in the same scope.

The mechanics are subtle, but the outcome is not. When a question mark appears in the replacement, an internal flag on the script engine is set and never cleared. A subsequent length calculation uses a fresh sub-engine that does not account for URI escaping, producing a buffer sized for raw bytes. The actual write, however, runs on the original engine where the escaping flag is still active, and characters like +, %, and & each expand by two bytes during the copy. The result is a write that runs deterministically past the end of the allocated buffer, a heap overflow controlled in shape by the contents of the attacker’s URI.

Cyber security researcher Kevin Beaumont Beaumont noted that while CVE-2026-42945 in NGINX is a real vulnerability, remote code execution is unlikely in real-world environments because modern Linux distributions enable ASLR by default. The public proof-of-concept exploit only works after manually disabling ASLR using the setarch -R command. Experts say the flaw is technically valid, but fears of widespread RCE attacks are overstated.

“It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.” the popular cyber security researcher Kevin Beaumont explained.

The PoC they’ve built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.”It relies on a specific NGINX config to be vulnerable, and for an attacker to know or discover the config to exploit it,” Beaumont said. “To reach RCE [remote code execution], also ASLR needs to have been disabled on the box.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CVE-2026-42945)