Critical NGINX Vulnerability CVE-2026-42945 Exposes Servers to Remote Code Execution

Severity: Critical (Score: 80.0)

Sources: Depthfirst, nvd.nist.gov

Summary

A critical vulnerability, CVE-2026-42945, has been identified in the ngx_http_rewrite_module of NGINX, allowing unauthenticated remote attackers to exploit a heap-based buffer overflow. The flaw arises when an unnamed PCRE capture is used with a replacement string containing a question mark, followed by a rewrite, if, or set directive. This vulnerability can lead to remote code execution and service disruption for affected NGINX deployments. Systems with Address Space Layout Randomization (ASLR) disabled are particularly at risk. NGINX instances running vulnerable configurations are exposed until patched or reconfigured. The vulnerability was published on 2026-05-13, and a proof of concept (PoC) was also released on the same date. Users are advised to upgrade to fixed releases or modify their rewrite configurations to mitigate the risk. Key Points: • CVE-2026-42945 is a critical vulnerability in NGINX affecting the ngx_http_rewrite_module. • Attackers can exploit this flaw to achieve remote code execution without authentication. • Immediate action is required to patch affected NGINX instances or reconfigure rewrite directives.

Key Entities

• Zero-day Exploit (attack_type)
• CVE-2026-42945 (cve)
• Cwe-122 - Heap-based Buffer Overflow (cwe)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• Nginx (tool)
• Nginx Rift (vulnerability)