Skip to content
Tech News
← Back to articles

18-year-old NGINX vulnerability allows DoS, potential RCE

2026-05-14 | original
read original get NGINX Security Patch → more articles
Why This Matters

The discovery of an 18-year-old critical vulnerability in NGINX, a widely used web server, underscores the importance of ongoing security vigilance in the tech industry. Exploiting this flaw could lead to denial of service or remote code execution, posing significant risks to countless online services and users. Addressing such long-standing vulnerabilities is crucial for maintaining trust and security in internet infrastructure.

Key Takeaways

An 18-year-old flaw in the NGINX open-source web server, discovered using an autonomous scanning system, can be exploited for denial of service and, under certain conditions, remote code execution.

The vulnerability is tracked as CVE-2026-42945 and received a critical severity rating of 9.2, based on the latest version of the Common Vulnerability Scoring System (CVSS).

Three more memory corruption security issues were discovered in the same six-hour code scanning session by researchers at AI-native security company DepthFirst AI.

NGINX is a massively used web server and reverse proxy platform, powering a third of the top ranked websites. It can efficiently balance load by distributing incoming network traffic to multiple backend servers and reduce load times by caching content.

Owned and maintained by American tech firm F5, the web server is used by cloud providers, SaaS companies, banks, media platforms, e-commerce sites, and in Kubernetes clusters.

CVE-2026-42945 is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0, which has been in the project’s code for roughly 18 years.

According to DepthFirst, the vulnerability can be triggered when NGINX configurations use both the ‘rewrite’ and ‘set’ directives, a pattern the researchers say is common in API gateways and reverse proxy setups.

The flaw stems from inconsistent state handling in NGINX’s internal script engine, which processes rewrites in two passes: one to calculate the amount of memory to allocate, and one to copy the actual data.

An ‘is_args’ flag remains set after a rewrite containing ‘?’, causing NGINX to calculate buffer size using unescaped URI lengths but later write larger escaped data like ‘+’ and ‘&’, leading to a heap buffer overflow.

The researchers demonstrated unauthenticated code execution via specially crafted HTTP requests that corrupt adjacent NGINX memory pool structures, overwrite cleanup handler pointers, spray fake structures into memory via POST request bodies, and force NGINX to execute ‘system()’ during pool cleanup.

... continue reading

Explore topics: nginx cve-2026-42945 reverse proxy heap buffer overflow
Related:
New Nginx Exploit
Can Someone Please Explain Whether Cloudflare Blackmailed Canonical?
Can someone please explain whether Cloudflare blackmailed Canonical?
Building the deployment tool I wish I had
FastCGI: 30 Years Old and Still the Better Protocol for Reverse Proxies

© 2026 GoKawiil

About | Editorial Policy | Contact