Heap buffer overflow vulnerability affects NGINX versions 0.6.27 through 1.30.0 with possible remote code execution.
- CVE-2026-42945 heap buffer overflow in NGINX’s rewrite module is being actively exploited
- Vulnerability affects NGINX versions 0.6.27 through 1.30.0 with CVSS score of 9.2
- Exploitation causes worker process crashes and potentially enables remote code execution
A critical heap buffer overflow vulnerability in NGINX is being actively exploited in the wild, just days after its public disclosure. The flaw, designated CVE-2026-42945, carries a CVSS score of 9.2.
The vulnerability exists in the ngx_http_rewrite_module and affects both NGINX Plus and NGINX Open Source versions from 0.6.27 through 1.30.0. According to VulnCheck, exploitation attempts have been detected following the vulnerability’s public disclosure.
The security firm depthfirst identified the flaw as a heap buffer overflow that can cause NGINX worker processes to crash. More concerning, the vulnerability may enable remote code execution under certain conditions.
The ngx_http_rewrite_module is a core component of NGINX that processes URL rewriting rules. Buffer overflow vulnerabilities in this module can be particularly dangerous as they may allow attackers to manipulate memory allocation and potentially execute arbitrary code on the affected server.
NGINX is one of the most widely deployed web servers globally, making this vulnerability a significant threat to internet infrastructure. The broad version range affected by CVE-2026-42945 means many installations are potentially vulnerable.
Why It Matters
This vulnerability represents a critical risk for organisations running NGINX infrastructure. The combination of active exploitation, widespread NGINX deployment, and potential for remote code execution creates an urgent patching priority. CISOs should expect this to feature prominently in board risk discussions and regulatory scrutiny given the 9.2 CVSS score and confirmed exploitation.
The vulnerability’s impact on the rewrite module means it could affect organisations using NGINX for load balancing, reverse proxy, or web serving functions. Any compromise could lead to service disruption or complete server takeover.
What To Do Now
- Immediately inventory all NGINX deployments to identify affected versions 0.6.27 through 1.30.0
- Monitor NGINX security advisories for patch availability and upgrade guidance
- Implement network monitoring to detect potential exploitation attempts targeting NGINX infrastructure
