Urgent NGINX Vulnerability CVE-2026-42945: Active Exploitation and Mitigation FAQ

A critical security flaw in NGINX Plus and NGINX Open Source has been actively exploited in the wild shortly after public disclosure. This FAQ addresses key questions about the vulnerability, its impact, and steps to secure your systems.

1. What is CVE-2026-42945?

CVE-2026-42945 is a heap buffer overflow vulnerability found in the ngx_http_rewrite_module of NGINX. This flaw allows an attacker to trigger worker process crashes and, under certain conditions, achieve remote code execution (RCE). The vulnerability was disclosed by VulnCheck and quickly confirmed as being exploited in the wild by AI-native security company depthfirst. It is considered a critical threat due to its high CVSS score of 9.2.

Urgent NGINX Vulnerability CVE-2026-42945: Active Exploitation and Mitigation FAQ — Source: feeds.feedburner.com

2. Which NGINX versions are affected?

The vulnerability impacts all NGINX versions from 0.6.27 up to and including 1.30.0. This wide range covers both NGINX Open Source and NGINX Plus (the commercial version). If you are running any of these versions, your server is at risk. You can check your version with nginx -v. It is crucial to upgrade immediately to a patched release (e.g., 1.31.0 or later as communicated by official advisories).

3. What is the severity and impact?

The vulnerability carries a CVSS score of 9.2, placing it in the “Critical” category. The primary impact is the ability to cause worker crashes, leading to service disruption (denial of service). More alarmingly, successful exploitation can lead to remote code execution (RCE), giving an attacker full control over the affected server. The combination of high attack complexity and low privileges required makes it attractive to threat actors. depthfirst has confirmed active exploitation attempts in the wild, increasing the urgency.

4. How is the exploit being carried out?

The exploit leverages a heap buffer overflow in the rewrite module. By sending specially crafted HTTP requests (often involving rewrite rules), an attacker can write beyond allocated memory, corrupting adjacent heap structures. This can overwrite critical data or inject malicious code. Public proof-of-concept (PoC) code has emerged since disclosure, and VulnCheck reported that multiple threat actors are scanning for vulnerable servers. The attack does not require authentication, making internet-facing NGINX installations prime targets.

5. What steps should administrators take to mitigate?

Immediate action is required:

Update NGINX to the latest patched version (e.g., 1.31.0+ for open source, or corresponding Plus update). Use your package manager or build from source after verifying signatures.
Apply virtual patches via Web Application Firewalls (WAF) if upgrading is not possible immediately. Rules can filter requests targeting the rewrite module.
Monitor logs for unusual worker crash patterns or suspicious HTTP requests.
Limit exposure by restricting access to NGINX admin interfaces or rewriting endpoints.

Refer to the official advisory for detailed instructions.

6. Can this be fixed without a full NGINX update?

While a full update is the most reliable fix, administrators may use temporary workarounds if patching is delayed. Options include disabling the ngx_http_rewrite_module (if not essential) or adding explicit input validation in configuration. However, these weaken the system. An alternative is using virtual patching via IDS/IPS systems. Always prioritize obtaining the official patch. The vulnerability affects the rewrite module’s internal memory handling, so configuration tweaks alone may not block all attack vectors.

7. What does this mean for NGINX Plus subscribers?

NGINX Plus users are equally affected; the same code base is used. F5 (NGINX’s parent company) typically provides hotfixes for Plus customers before public announcements. Subscribers should check their support portal for a patched build. The commercial team may also offer temporary rule-based protections in NGINX Plus modules like App Protect. As always, staying within the supported version track ensures timely security updates.