Cybersecurity researchers have disclosed multiple critical security vulnerabilities affecting NGINX Plus and NGINX Open Source, with the most severe being an 18-year-old heap buffer overflow that enables unauthenticated remote code execution against unpatched servers.
The Vulnerability
The critical flaw, discovered by researcher depthfirst, is a heap buffer overflow vulnerability residing in ngx_http_rewrite_module — the NGINX component responsible for URL rewriting rules. The bug tracked as CVE-2026-42xxx (full CVE ID pending at time of publication) was introduced into the codebase approximately 18 years ago and remained undetected through millions of deployments worldwide.
The heap buffer overflow can be triggered by a specially crafted HTTP request, potentially allowing an attacker to:
- Execute arbitrary code remotely without any authentication
- Crash the NGINX worker process causing denial of service
- Gain a foothold on web servers running the vulnerable version
Scope and Impact
NGINX powers an estimated 34% of all active web servers globally, making this vulnerability particularly significant. Both NGINX Plus (the commercial offering) and NGINX Open Source are confirmed affected.
The vulnerability is notable not just for its severity but for how long it persisted:
- 18 years in the codebase without detection
- Present in the widely-used URL rewrite module
- No authentication or special privileges required to trigger the flaw
Additional Vulnerabilities
Alongside the heap overflow, researchers also disclosed several additional vulnerabilities in the NGINX ecosystem during the same disclosure. While less severe than the main RCE, these include logic flaws and input validation issues that could be chained with other techniques for further impact.
Remediation
NGINX has released updated versions addressing CVE-2026-42xxx and the related disclosures. Administrators should:
- Update NGINX immediately to the latest patched release
- Check NGINX Plus subscribers — NGINX has pushed a corresponding update to Plus customers
- Review rewrite rules in
nginx.conffor unexpected or externally-influenced patterns - Monitor web server logs for unusual request patterns that may indicate exploitation attempts
For environments that cannot update immediately, consider:
- Deploying a WAF rule to detect and block exploit payloads targeting the rewrite module
- Restricting public access to servers where possible until patching is complete
Background
The ngx_http_rewrite_module handles rewrite, return, break, and related directives used in virtually every non-trivial NGINX deployment. The module's age and widespread use make this flaw particularly critical — it is present in default configurations and many common deployment patterns.
This disclosure follows a broader trend of long-latent vulnerabilities being discovered in foundational web infrastructure components, highlighting the need for continuous security auditing of even well-established software.
References
- The Hacker News: 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
- NGINX Security Advisories
- NVD: CVE-2026-42xxx (pending full assignment)