NGINX CVE-2026-42945 heap overflow under active exploitation with RCE potential
A heap buffer overflow in NGINX's rewrite module (CVE-2026-42945, CVSS 9.2) is being exploited in the wild days after disclosure, affecting versions 0.6.27 through 1.30.0 and potentially enabling remote code execution or worker process crashes.
CVE References
Affected
VulnCheck has confirmed that CVE-2026-42945 is actively exploited in production environments within days of its public disclosure. This heap buffer overflow in ngx_http_rewrite_module affects a wide range of NGINX versions spanning nearly two decades of releases (0.6.27 through 1.30.0), suggesting most deployed instances remain vulnerable without immediate patching.
The vulnerability exists in the rewrite module, a commonly enabled component used for URL manipulation and conditional request handling. Heap overflows in this context are particularly dangerous because they can corrupt adjacent memory structures, enabling attackers to escape sandbox restrictions or achieve arbitrary code execution within the worker process context. The CVSS score of 9.2 reflects both the ease of exploitation and the severity of potential outcomes: remote code execution or denial of service through worker crashes.
Organisations running NGINX as reverse proxies, load balancers, or web servers face immediate risk. The attack surface is broad: any deployment with the rewrite module enabled and accepting untrusted HTTP requests (which is nearly all public-facing instances) can be targeted. The rapid transition from disclosure to active exploitation suggests attackers have either reverse-engineered publicly available patches or developed exploits from proof-of-concept information released during the vulnerability window.
Defenders should prioritise patching to the latest stable release immediately, particularly in perimeter-facing deployments. Where patching cannot be completed within hours, network controls should be implemented to restrict access to NGINX management interfaces and monitor for suspicious rewrite rule patterns in access logs. Organisations should also review their NGINX configuration to disable the rewrite module if it is not actively required, reducing the attack surface.
This incident reinforces that critical infrastructure components with global deployment (NGINX powers an estimated 30 percent of all web servers) become vulnerability focal points once disclosure occurs. The compressed exploitation timeline demonstrates that security teams can no longer assume vendor patches provide a grace period before real-world attacks materialise.
Sources