Critical 18-Year-Old NGINX Vulnerability Exposes Systems to Remote Code Execution
A severe heap buffer overflow vulnerability, tracked as CVE-2026-42945 (CVSS 9.2), has been disclosed in NGINX, one of the world’s most widely deployed web servers. The flaw, present in the ngx_http_rewrite_module since 2008, enables unauthenticated remote code execution (RCE) under specific configuration conditions.
The vulnerability arises when an unnamed PCRE capture (e.g., $1, $2) is used in a replacement string containing a ?, followed immediately by another rewrite, if, or set directive. While the flaw is critical, exploitation requires an exact configuration match, limiting its immediate impact to affected deployments.
Patches have been released in NGINX versions 1.30.1 and 1.31.0, with mitigation also possible by rewriting configurations to use named captures instead. A proof-of-concept (PoC) exploit has been made public, increasing the urgency for organizations to assess and remediate their NGINX instances.
The disclosure underscores the risks of long-standing vulnerabilities in foundational software, particularly as attackers refine exploitation techniques. Enterprises relying on NGINX are advised to verify their configurations and apply updates promptly.
Source: https://www.linkedin.com/feed/update/urn:li:activity:7460596025502732288
NGINX TPRM report: https://www.rankiteo.com/company/nginx
"id": "ngi1778747274",
"linkid": "nginx",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations using NGINX with '
'vulnerable configurations',
'industry': 'Technology/Web Servers',
'name': 'NGINX',
'type': 'Software'}],
'attack_vector': 'Remote',
'description': 'A severe heap buffer overflow vulnerability, tracked as '
'CVE-2026-42945 (CVSS 9.2), has been disclosed in NGINX, one '
'of the world’s most widely deployed web servers. The flaw, '
'present in the ngx_http_rewrite_module since 2008, enables '
'unauthenticated remote code execution (RCE) under specific '
'configuration conditions. The vulnerability arises when an '
'unnamed PCRE capture (e.g., $1, $2) is used in a replacement '
'string containing a ?, followed immediately by another '
'rewrite, if, or set directive. While the flaw is critical, '
'exploitation requires an exact configuration match, limiting '
'its immediate impact to affected deployments.',
'impact': {'operational_impact': 'Potential remote code execution leading to '
'system compromise',
'systems_affected': 'NGINX web servers with specific '
'configurations'},
'lessons_learned': 'The disclosure underscores the risks of long-standing '
'vulnerabilities in foundational software, particularly as '
'attackers refine exploitation techniques.',
'post_incident_analysis': {'corrective_actions': 'Patch deployment and '
'configuration changes to '
'use named captures',
'root_causes': 'Heap buffer overflow in '
'ngx_http_rewrite_module due to '
'improper handling of unnamed PCRE '
'captures in replacement strings'},
'recommendations': 'Enterprises relying on NGINX are advised to verify their '
'configurations and apply updates promptly.',
'references': [{'source': 'Proof-of-Concept (PoC) exploit'}],
'response': {'containment_measures': 'Patches released in NGINX versions '
'1.30.1 and 1.31.0; mitigation by '
'rewriting configurations to use named '
'captures',
'remediation_measures': 'Apply patches (NGINX 1.30.1/1.31.0) or '
'reconfigure to use named captures'},
'title': 'Critical 18-Year-Old NGINX Vulnerability Exposes Systems to Remote '
'Code Execution',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-42945 (Heap Buffer Overflow in '
'ngx_http_rewrite_module)'}