Critical NGINX Vulnerability CVE-2026-42945 Allows Remote Code Execution

Severity: High (Score: 78.8)

Sources: Depthfirst, almalinux.org, depthfirst.com, nvd.nist.gov, Ubuntu

Summary

A critical vulnerability in NGINX's ngx_http_rewrite_module, tracked as CVE-2026-42945, was disclosed on May 13, 2026. This heap-based buffer overflow allows unauthenticated attackers to crash NGINX worker processes or potentially execute remote code on systems with Address Space Layout Randomization (ASLR) disabled. The flaw, present for 18 years, affects all NGINX Open Source versions from 0.6.27 to 1.30.0 and NGINX Plus R32 to R36. Exploitation requires sending a specially crafted HTTP request that triggers memory corruption. Emergency patches were released shortly after the disclosure, but proof-of-concept exploits are already public. The vulnerability is particularly concerning for configurations commonly used in PHP and WordPress environments. Security teams are advised to apply patches immediately or reconfigure vulnerable rewrite rules to mitigate the risk. Key Points: • CVE-2026-42945 allows unauthenticated remote code execution on vulnerable NGINX servers. • The vulnerability has existed for 18 years and affects all versions from 0.6.27 to 1.30.0. • Emergency patches were released on May 13, 2026, but exploits are already circulating.

Key Entities

• DDoS (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2026-42945 (cve)
• Cwe-122 - Heap-based Buffer Overflow (cwe)
• CWE-287 - Improper Authentication (cwe)
• bugs.almalinux.org (domain)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• AlmaLinux (platform)
• CentOS Stream (platform)
• PHP (platform)
• RHEL (platform)
• WordPress (platform)
• Nginx (tool)
• Nginx Rift (vulnerability)