18-year-old NGINX vulnerability lets in DoS, doable RCE

An 18-year-old flaw within the NGINX open-source internet server, came upon the use of an self reliant scanning gadget, can also be exploited for denial of provider and, underneath sure prerequisites, far off code execution.

The vulnerability is tracked as CVE-2026-42945 and gained a important severity ranking of 9.2, in accordance with the most recent model of the Commonplace Vulnerability Scoring Machine (CVSS).

3 extra reminiscence corruption safety problems had been came upon in the similar six-hour code scanning consultation by means of researchers at AI-native safety corporate DepthFirst AI.

NGINX is a hugely used internet server and opposite proxy platform, powering a 3rd of the highest ranked internet sites. It may successfully stability load by means of distributing incoming community visitors to more than one backend servers and cut back load instances by means of caching content material.

Owned and maintained by means of American tech company F5, the internet server is utilized by cloud suppliers, SaaS firms, banks, media platforms, e-commerce websites, and in Kubernetes clusters.

CVE-2026-42945 is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX variations 0.6.27 via 1.30.0, which has been within the challenge’s code for kind of 18 years.

In line with DepthFirst, the vulnerability can also be induced when NGINX configurations use each the ‘rewrite’ and ‘set’ directives, a development the researchers say is not unusual in API gateways and opposite proxy setups.

The flaw stems from inconsistent state dealing with in NGINX’s interior script engine, which processes rewrites in two passes: one to calculate the quantity of reminiscence to allocate, and one to replicate the real knowledge.

An ‘is_args’ flag stays set after a rewrite containing ‘?’, inflicting NGINX to calculate buffer dimension the use of unescaped URI lengths however later write greater escaped knowledge like ‘+’ and ‘&’, resulting in a heap buffer overflow.

The researchers demonstrated unauthenticated code execution by means of specifically crafted HTTP requests that corrupt adjoining NGINX reminiscence pool buildings, overwrite cleanup handler tips, spray faux buildings into reminiscence by means of POST request our bodies, and power NGINX to execute ‘gadget()’ throughout pool cleanup.

Then again, far off code execution used to be completed on a gadget with the Deal with Area Format Randomization (ASLR) coverage in opposition to memory-based assaults became off. This protection is lively by means of default, however it may be disabled to extend efficiency in some environments, akin to embedded programs and digital machines used for research.

DepthFirst notes that NGINX’s multi-process structure makes exploitation more straightforward as a result of employee processes inherit just about equivalent reminiscence layouts from the grasp task, enabling dependable heap manipulation and repeated makes an attempt if a employee crashes.

“If our exploit fails and crashes a employee, the grasp task merely spawns a brand new one with the very same reminiscence structure,” the researchers give an explanation for.

“This permits us to soundly take a look at more than one instances till we be successful with out being concerned concerning the employee crashing and converting the reminiscence structure.”

“Theoretically, lets leverage this design to leak ASLR (Deal with Area Format Randomization) by means of gradually overwriting tips byte by means of byte.”

The opposite 3 flaws exposed by means of DepthFirst gained a medium severity ranking:

• CVE-2026-42946 — over the top reminiscence allocation in SCGI/UWSGI modules that may crash employees by means of ~1 TB allocations (top severity)
• CVE-2026-40701 — use-after-free in asynchronous OCSP DNS answer dealing with (medium severity)
• CVE-2026-42934 — off-by-one UTF-8 parsing malicious program inflicting out-of-bounds reads (medium severity)

Have an effect on and fixes

The vulnerabilities had been came upon on April 18, 2026, and reported to the seller on April 21.

In line with F5’s safety advisory, launched the day past, the failings affect the next NGINX builds:

• NGINX Open Supply variations 0.6.27 via 1.30.0
• NGINX Plus R32 via R36
• NGINX Example Supervisor 2.16.0 via 2.21.1
• F5 WAF for NGINX 5.9.0 via 5.12.1
• NGINX App Offer protection to WAF 4.9.0 via 4.16.0 and 5.1.0 via 5.8.0
• F5 DoS for NGINX 4.8.0
• NGINX App Offer protection to DoS 4.3.0 via 4.7.0
• NGINX Gateway Material 1.3.0 via 1.6.2 and a couple of.0.0 via 2.5.1
• NGINX Ingress Controller 3.5.0 via 3.7.2, 4.0.0 via 4.0.1, and 5.0.0 via 5.4.1

Fixes had been made to be had in NGINX Open Supply 1.31.0 and 1.30.1, NGINX Plus R36 P4, and NGINX Plus R32 P6.

For the ones not able to improve, F5 recommends changing unnamed PCRE seize teams ($1, $2, and so on.) in susceptible ‘rewrite’ laws with named captures, which gets rid of the principle exploitation prerequisite.

Exploitability in the true global

Some safety researchers have driven again at the real-world exploitability claims surrounding CVE-2026-42945, arguing that DepthFirst’s proof-of-concept depends on extremely particular prerequisites that don’t seem to be repeatedly found in default deployments.

Researcher Kevin Beaumont famous that exploitation calls for a susceptible NGINX configuration the use of specific rewrite patterns, the attacker should know or uncover the affected endpoint, and the broadcast RCE PoC used to be examined with ASLR disabled.

Beaumont stressed out that the researchers’ exploit used to be constructed in opposition to a intentionally susceptible setup and does now not reveal dependable code execution in opposition to hardened real-world programs

AlmaLinux echoed a equivalent review of their advisory, after independently reproducing the flaw.

The Linux distribution maintainers showed that crashing NGINX employee processes by means of a crafted request is trivial and dependable, making denial-of-service assaults real looking.

Then again, they mentioned that turning the heap overflow into unswerving far off code execution on programs with ASLR enabled “isn’t trivial,” and they don’t be expecting a generic, dependable exploit to emerge from depthfirst’s paintings.

On the similar time, AlmaLinux cautioned that “now not simple” does now not imply unimaginable, and the DoS doable is sufficient by itself to regard the problem as pressing.