A newly disclosed security flaw in NGINX has come under active exploitation in the wild just days after its public disclosure, according to vulnerability intelligence firm VulnCheck. The vulnerability, tracked as CVE-2026-42945 with a CVSS score of 9.2, is a heap buffer overflow residing in the ngx_http_rewrite_module — the component responsible for handling URL rewriting and redirect logic in NGINX configurations.
What Is CVE-2026-42945?
The flaw is a heap buffer overflow that occurs when NGINX processes specially crafted HTTP requests that trigger the rewrite module's internal regex evaluation logic. An attacker who can send requests to an NGINX instance with a rewrite directive in place can exploit the overflow to:
- Crash worker processes, causing a denial of service condition
- Potentially achieve remote code execution (RCE) by corrupting adjacent heap memory to redirect execution flow
The vulnerability affects both NGINX Plus (the commercial offering) and NGINX Open Source, covering a wide range of versions that include an unpatched ngx_http_rewrite_module.
NGINX's rewrite module is extremely common in production deployments — the vast majority of NGINX configurations use some form of rewrite or location block with regex matching, which means the attack surface is broad.
Active Exploitation Confirmed
VulnCheck's threat intelligence team confirmed that exploit attempts for CVE-2026-42945 were observed in the wild within approximately 72 hours of the CVE's publication. The exploitation pattern matches denial-of-service probing consistent with automated scanning infrastructure, though some observed payloads appear to be testing for conditions consistent with heap layout manipulation typical of RCE attempts.
This rapid exploitation timeline — sometimes called a "time-to-exploit" (TTE) window — reflects an acceleration trend in 2026 where threat actors have compressed the gap between CVE publication and weaponized exploit development from weeks to days or hours.
Affected Versions and Patch Status
NGINX has released patched versions addressing CVE-2026-42945. Organizations should consult the official NGINX security advisory for the complete list of affected and fixed version branches. In general:
- NGINX Open Source: Patch available — update to the latest stable branch
- NGINX Plus: Patch available — update to the current release; NGINX Plus customers on active subscriptions should receive priority notification
If patching is not immediately feasible, NGINX recommends reviewing rewrite rules and considering temporary mitigations such as:
- Restricting access to locations with complex rewrite rules at the perimeter
- Rate-limiting inbound connections to reduce exposure to automated exploitation
Why the NGINX Rewrite Module Is a High-Value Target
The ngx_http_rewrite_module is responsible for parsing and executing PCRE (Perl Compatible Regular Expressions) as part of request routing. Regex-based parsing is notoriously difficult to secure — the combination of complex state machines, variable-length input, and tight memory management creates conditions where subtle boundary conditions can result in memory corruption.
Historical precedent with rewrite-module-class vulnerabilities includes a 2025 flaw in Apache's mod_rewrite that also resulted in heap corruption, demonstrating that web server rewrite engines are a recurring target for security researchers and adversaries alike.
Broader Context: NGINX Exploitation in 2026
Earlier in 2026, a separate 18-year-old NGINX rewrite module vulnerability was disclosed (CVE-2026-42xxx series), generating significant attention because the flaw had existed undetected in the codebase for nearly two decades. CVE-2026-42945 appears to be a distinct, more recently introduced vulnerability, though it shares the same module as the attack surface.
With NGINX powering a substantial portion of the public internet — including serving as a reverse proxy or load balancer in front of many major platforms — vulnerabilities in this server software carry outsized risk.
Recommended Actions
- Patch immediately: Apply the available NGINX updates for your deployment type (Plus or Open Source).
- Audit your rewrite rules: Review all
rewrite,if, andlocationblocks using regex for complexity that could amplify exposure. - Check your WAF: Ensure any web application firewall in front of NGINX has updated rulesets capable of detecting exploitation payloads.
- Monitor logs: Look for anomalous worker process crashes (
nginx: [alert] worker process ... exited on signal), which may indicate exploitation attempts against this flaw. - Inventory NGINX versions: Use your asset management tooling to identify all NGINX instances — including those embedded in containers or packaged into application distributions.