18-Year-Old NGINX Rewrite Module Vulnerability Enables Remote Code Execution

Critical heap buffer overflow in ngx_http_rewrite_module affects both NGINX Plus and NGINX Open Source installations.

NGINX rewrite module contains critical heap buffer overflow vulnerability (CVE-2026-42945) present for 18 years
Flaw enables unauthenticated remote code execution with CVSS v4 score of 9.2
Vulnerability affects both NGINX Plus and NGINX Open Source deployments

Security researchers at depthfirst have disclosed multiple vulnerabilities in NGINX Plus and NGINX Open Source, including a critical heap buffer overflow that has remained unpatched for 18 years.

The most severe vulnerability, tracked as CVE-2026-42945, affects the ngx_http_rewrite_module component and carries a CVSS v4 score of 9.2. The flaw allows attackers to achieve remote code execution or cause denial-of-service conditions without authentication.

The vulnerability represents a significant exposure given NGINX’s widespread deployment across web infrastructure. The rewrite module, commonly used for URL manipulation and redirects, processes user input in a way that can trigger heap buffer overflow conditions.

According to the research, multiple security vulnerabilities impact both NGINX Plus and NGINX Open Source installations, though specific details about the additional flaws were not provided in the disclosure.

The 18-year lifespan of this vulnerability highlights how long-standing code can harbour critical security flaws that escape detection during regular security reviews and automated scanning processes.

Why It Matters

This vulnerability poses significant operational risk for organisations running NGINX infrastructure. The combination of remote code execution capability, lack of authentication requirements, and the widespread deployment of NGINX across enterprise environments creates substantial exposure. The 18-year presence of this flaw demonstrates the challenge of identifying vulnerabilities in mature codebases that form critical infrastructure components.

For board reporting, this incident illustrates the importance of continuous security assessment for foundational infrastructure components, even those considered stable and mature.

What To Do Now

Inventory all NGINX Plus and NGINX Open Source deployments using the rewrite module based on the vulnerability disclosure
Monitor for official patches from NGINX as the vulnerability has been publicly disclosed

Sources

The Hacker News

Why It Matters

What To Do Now

Sources

Related Posts

Microsoft Exchange Server vulnerability CVE-2026-42897 under active exploitation

Ivanti, Fortinet, SAP, VMware Patch Critical Vulnerabilities

Microsoft patches 30 critical vulnerabilities in May update