← Threat Intelligence
Novel Exploit - Active Exploitation

NGINX CVE-2026-42945 Under Active Exploitation: 18-Year-Old Flaw Triggers Worker Crashes and RCE

Matt Lucas  |  May 19, 2026  |  5 min
CVEs in this postCVE-2026-28515CVE-2026-28516CVE-2026-28517CVE-2026-42945All RedEye CVEs →
CVE-2026-42945Actively ExploitedNGINX
CVSS Score
9.2
Exploit Status
In the Wild
Patch Available
Yes
Affected Range
0.6.27–1.30.0
ATTACKER crafted HTTP req ngx_rewrite_module NGINX v0.6.27 – 1.30.0 CVE-2026-42945 CVSS 9.2 | heap overflow WORKER CRASH DoS — any config VulnCheck confirmed RCE requires ASLR off legacy / embedded F5 PATCH NGINX 1.30.1+ + verify ASLR on exploit always if !ASLR mitigate
TL;DR
  • What: CVE-2026-42945 is an 18-year-old heap buffer overflow in NGINX's ngx_http_rewrite_module (CVSS 9.2) affecting versions 0.6.27 through 1.30.0, now actively exploited in the wild.
  • Impact: Unauthenticated attackers can crash NGINX worker processes (DoS, any config) or achieve remote code execution on systems with ASLR disabled.
  • Fix / mitigation: Apply F5's patch (NGINX 1.30.1+) immediately; verify ASLR is enabled on all NGINX hosts; deploy WAF rules to block malformed rewrite-module requests.
  • Who's at risk: Any organization running NGINX Plus or NGINX Open Source as a reverse proxy, load balancer, or web server on an unpatched version.

Active exploitation has been detected against CVE-2026-42945, an 18-year-old heap buffer overflow vulnerability in NGINX that affects every version from 0.6.27 through 1.30.0. VulnCheck's honeypot networks confirmed weaponization attempts within days of public disclosure, marking this as an urgent threat for organizations running NGINX Plus or NGINX Open Source.

The flaw resides in the ngx_http_rewrite_module component and carries a CVSS score of 9.2. Introduced in 2008 according to AI-native security firm depthfirst, the vulnerability allows unauthenticated attackers to send crafted HTTP requests that crash worker processes or execute arbitrary code. Remote code execution is possible on systems where Address Space Layout Randomization (ASLR) has been disabled, though the denial-of-service condition alone presents significant operational risk.

Exploitation Requirements and Attack Surface

CVE-2026-42945 requires specific NGINX configurations to be exploitable. Security researcher Kevin Beaumont notes that attackers must either know or discover the vulnerable configuration to successfully exploit the flaw. The exploitation complexity increases for achieving RCE, as ASLR must be disabled on the target system—a configuration that runs counter to default security postures on modern Linux distributions.

AlmaLinux maintainers assessed that reliable code execution is not trivial in default configurations. On systems with ASLR enabled—the default on all supported AlmaLinux releases—they do not expect generic, reliable exploits to emerge easily. However, the maintainers emphasized that 'not easy' does not equal 'impossible,' and the worker-crash denial-of-service vector alone warrants treating this vulnerability as urgent.

Immediate Action Required

Organizations running NGINX versions 0.6.27 through 1.30.0 must apply F5's patches immediately. Active exploitation is confirmed in the wild, and the worker-crash DoS condition is exploitable regardless of ASLR status. Delay in patching creates immediate operational risk.

Attack Activity Observations

VulnCheck detected exploitation attempts against their honeypot infrastructure shortly after CVE-2026-42945's public disclosure. The nature of the attack activity and the threat actors' ultimate objectives remain under investigation. The rapid weaponization timeline—measured in days rather than weeks—demonstrates how quickly adversaries incorporate newly disclosed vulnerabilities into their operational playbooks.

The speed of weaponization aligns with observed trends where critical web server vulnerabilities receive immediate attention from both criminal and nation-state threat actors. NGINX's widespread deployment across enterprise environments makes it a high-value target for reconnaissance, lateral movement, and establishing persistent access.

Concurrent openDCIM Exploitation Campaign

VulnCheck simultaneously reported active exploitation targeting three critical vulnerabilities in openDCIM, an open-source data center infrastructure management application. The flaws—CVE-2026-28515 (missing authorization), CVE-2026-28516 (SQL injection), and CVE-2026-28517 (command injection)—all score 9.3 on CVSS and can be chained for remote code execution over five HTTP requests.

VulnCheck researcher Valentin Lobstein discovered the vulnerability cluster in February 2026 and demonstrated that attackers can chain the exploits to spawn reverse shells. Current attack activity originates from a single Chinese IP address and employs what appears to be a customized implementation of Vulnhuntr, an AI-powered vulnerability discovery tool. Attackers are using the tool to automatically identify vulnerable installations before deploying PHP web shells.

Attack Pattern Analysis

The openDCIM exploitation demonstrates adversary adoption of AI-powered vulnerability discovery tools for automated reconnaissance and exploitation. Organizations should expect this pattern to accelerate as AI capabilities become more accessible to threat actors.

Technical Impact Assessment

The NGINX vulnerability's heap buffer overflow occurs during HTTP request processing in the rewrite module. When triggered, the overflow corrupts memory structures that can lead to worker process crashes or, in specific configurations, arbitrary code execution. The deterministic nature of the worker crash makes this an effective DoS vector even when RCE proves impractical.

For organizations running NGINX in reverse proxy, load balancer, or web server roles, worker crashes directly impact availability. Repeated exploitation can create sustained denial-of-service conditions that disrupt business operations. In environments where ASLR is disabled—such as certain embedded systems, legacy platforms, or deliberately hardened configurations optimized for performance over security—the RCE risk becomes immediate and critical.

Mitigation and Response Actions

F5 has released patches for all affected NGINX versions. Organizations must prioritize applying these updates to internet-facing NGINX instances first, followed by internal systems. The patching priority should reflect both external attack surface exposure and the criticality of services the NGINX instances support.

For environments where immediate patching is not feasible, implement the following compensating controls:

Strategic Implications

The rapid exploitation of CVE-2026-42945 reinforces the compressed timeline between vulnerability disclosure and active weaponization. Security teams can no longer rely on weeks or months to implement patches for publicly disclosed flaws. The discovery of an 18-year-old vulnerability in widely deployed software like NGINX demonstrates that legacy code bases continue to harbor exploitable flaws despite extensive production use and security scrutiny.

The concurrent exploitation of NGINX and openDCIM vulnerabilities, with threat actors leveraging AI-powered discovery tools, signals an evolution in adversary capabilities. Organizations must adapt their vulnerability management programs to account for accelerated exploitation timelines and the increasing sophistication of automated attack tools. Prioritization frameworks must weight active exploitation evidence more heavily than theoretical CVSS scores, and patch deployment processes must support emergency updates within days of disclosure rather than following traditional monthly cycles.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us