18-Year-Old Critical RCE Vulnerability Discovered in NGINX
A severe heap buffer overflow vulnerability (CVE-2026-42945) has been uncovered in NGINX, affecting versions dating back to 2008. The flaw, assigned a CVSS score of 9.2, resides in the ngx_http_rewrite_module a core component used for URL rewriting and variable assignment in nearly all NGINX deployments.
The vulnerability stems from a state mismatch in NGINX’s two-pass script engine. When a configuration combines rewrite and set directives with a question mark (?), the system miscalculates buffer allocation during the first pass, leading to a heap overflow in the second. This flaw enables unauthenticated remote code execution (RCE), with researchers demonstrating a working exploit on systems with ASLR disabled. A public proof-of-concept (PoC) is now available on GitHub.
The bug was introduced in NGINX 0.6.27 (2008) and remained undetected until April 2026, when security firm depthfirst identified it during a code audit. The audit also revealed three additional memory corruption vulnerabilities:
- CVE-2026-42946 (CVSS 8.3): A high-severity flaw in ngx_http_scgi/uwsgi_module that could trigger a ~1TB memory allocation, causing crashes.
- CVE-2026-40701 (CVSS 6.3): A medium-severity use-after-free in ngx_http_ssl_module via OCSP.
- CVE-2026-42934 (CVSS 6.3): A medium-severity out-of-bounds read in ngx_http_charset_module.
The vulnerability impacts a broad range of F5/NGINX products, including NGINX Open Source (0.6.27–1.30.0), NGINX Plus (R32–R36), NGINX Instance Manager, NGINX App Protect WAF, and NGINX Ingress Controller. F5 released patches on May 13, 2026, with fixes available in NGINX 1.30.1/1.31.0 and updated versions of affected products. Organizations unable to patch immediately are advised to audit configurations for combined rewrite and set directives and restrict exposed deployments behind a WAF.
Source: https://cybersecuritynews.com/18-year-old-nginx-rce-vulnerability/
F5 TPRM report: https://www.rankiteo.com/company/f5
"id": "f51778747583",
"linkid": "f5",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations using NGINX Open '
'Source (0.6.27–1.30.0), NGINX '
'Plus (R32–R36), NGINX Instance '
'Manager, NGINX App Protect WAF, '
'and NGINX Ingress Controller',
'industry': 'Technology/Software',
'name': 'F5/NGINX',
'type': 'Company'}],
'attack_vector': 'Remote',
'date_detected': '2026-04',
'date_publicly_disclosed': '2026-05-13',
'date_resolved': '2026-05-13',
'description': 'A severe heap buffer overflow vulnerability (CVE-2026-42945) '
'has been uncovered in NGINX, affecting versions dating back '
'to 2008. The flaw, assigned a CVSS score of 9.2, resides in '
'the *ngx_http_rewrite_module*, a core component used for URL '
'rewriting and variable assignment in nearly all NGINX '
'deployments. The vulnerability enables unauthenticated remote '
'code execution (RCE), with researchers demonstrating a '
'working exploit on systems with ASLR disabled. A public '
'proof-of-concept (PoC) is now available on GitHub.',
'impact': {'operational_impact': 'Potential crashes, remote code execution, '
'and memory corruption',
'systems_affected': 'NGINX Open Source (0.6.27–1.30.0), NGINX Plus '
'(R32–R36), NGINX Instance Manager, NGINX App '
'Protect WAF, NGINX Ingress Controller'},
'investigation_status': 'Completed',
'post_incident_analysis': {'corrective_actions': 'Patches released, '
'configuration audits '
'recommended',
'root_causes': 'State mismatch in NGINX’s two-pass '
'script engine, miscalculation of '
'buffer allocation during the first '
'pass leading to heap overflow in '
'the second pass'},
'recommendations': 'Audit configurations for combined *rewrite* and *set* '
'directives, restrict exposed deployments behind a WAF, '
'apply patches immediately',
'references': [{'source': 'GitHub', 'url': 'https://github.com'}],
'response': {'containment_measures': 'Audit configurations for combined '
'*rewrite* and *set* directives, '
'restrict exposed deployments behind a '
'WAF',
'remediation_measures': 'Patches released in NGINX 1.30.1/1.31.0 '
'and updated versions of affected '
'products',
'third_party_assistance': 'Security firm *depthfirst* identified '
'the vulnerability'},
'title': '18-Year-Old Critical RCE Vulnerability Discovered in NGINX',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': ['CVE-2026-42945',
'CVE-2026-42946',
'CVE-2026-40701',
'CVE-2026-42934']}