Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks

Discover more Computers Antivirus & Malware Endpoint security software HomeCyber Security News Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks By Abinaya May 14, 2026 A critical heap buffer overflow vulnerability has been discovered in the source code of NGINX, present since 2008. This vulnerability has been publicly disclosed, along with a working proof-of-concept exploit that can enable unauthenticated remote code execution (RCE) against one of the most widely used web servers in the world. Assigned a CVSS score of 9.2, CVE-2026-42945 resides in NGINX’s ngx_http_rewrite_module. This engine powers URL rewriting and variable assignment in virtually every modern NGINX deployment. The bug was first introduced in version 0.6.27, released in 2008, and remained undetected for 18 years across all versions up to 1.30.0. 18-Year-Old NGINX RCE Vulnerability The flaw is triggered when a configuration uses both rewrite and set directives together, a common pattern in API gateway setups. NGINX’s internal script engine processes these directives using a two-pass system: the first pass calculates memory length, and the second writes data into the allocated buffer. The critical flaw lies in a state mismatch between the two passes. When a rewrite directive contains a question mark (?), it permanently sets an is_args = 1 flag on the main script engine. However, during the first (length calculation) pass, a zeroed-out sub-engine is used, meaning is_args is effectively zero. The length is calculated without accounting for URI escaping. NGINX Hit by 4 Memory Flaws (source:depthfirst) In the second (copy) pass, the main engine runs with is_args = 1, causing the ngx_escape_uri function to expand each escapable byte from 1 to 3 bytes. The result: far more data is written to the buffer than was allocated, leading to a classic heap buffer overflow. Researchers developed a working RCE exploit for systems with ASLR disabled. The security research firm depthfirst autonomously discovered the vulnerability during an April 2026 code audit that also uncovered three additional memory corruption bugs. The attack chains heap manipulation, fake cleanup structure spraying via POST bodies, and NGINX’s deterministic multi-process architecture to achieve reliable, repeatable code execution. A public PoC is now available on GitHub. Three additional CVEs were confirmed alongside the critical flaw: CVE Severity CVSS Affected Module Impact CVE-2026-42945 Critical 9.2 ngx_http_rewrite_module Heap buffer overflow → RCE CVE-2026-42946 High 8.3 ngx_http_scgi/uwsgi_module ~1 TB allocation → crash CVE-2026-40701 Medium 6.3 ngx_http_ssl_module Use-after-free via OCSP CVE-2026-42934 Medium 6.3 ngx_http_charset_module Out-of-bounds read The vulnerability impacts a wide range of F5/NGINX products, including NGINX Open Source 0.6.27–1.30.0, NGINX Plus R32–R36, NGINX Instance Manager, NGINX App Protect WAF, NGINX Gateway Fabric, and NGINX Ingress Controller. Product Affected Versions Patched Version NGINX Plus R32 – R36 R36 P1+ / R37+ NGINX Instance Manager 2.16.0 – 2.21.1 2.21.2+ F5 WAF for NGINX 5.9.0 – 5.12.1 5.12.2+ NGINX App Protect WAF 4.9.0 – 4.16.0 and 5.1.0 – 5.8.0 4.16.1+ / 5.8.1+ F5 DoS for NGINX 4.8.0 4.8.1+ NGINX App Protect DoS 4.3.0 – 4.7.0 4.7.1+ NGINX Gateway Fabric 1.3.0 – 1.6.2 and 2.0.0 – 2.5.1 1.6.3+ / 2.5.2+ NGINX Ingress Controller 3.5.0 – 3.7.2, 4.0.0 – 4.0.1, 5.0.0 – 5.4.1 3.7.3+ / 4.0.2+ / 5.4.2+ F5 released its official security advisory on May 13, 2026. Administrators should upgrade to NGINX 1.30.1 or 1.31.0 immediately. Organizations that cannot patch right away should audit configurations for combined rewrite + set directive usage and consider restricting exposed NGINX deployments behind an additional WAFlayer until patching is complete. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Microsoft Teams Vulnerability Allows Hackers to Perform Spoofing Attacks New Ivanti EPMM 0-Day Vulnerability Actively Exploited in Attacks Škoda Security Incident Exposes Customers Data From Online Shop Hackers Use PlugX-Like DLL Sideloading Chain in Fake Claude Malware Campaign Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information Latest News Cyber Security News The Gentlemen RaaS Leverages Fortinet and Cisco Edge Devices for Initial Access Cyber Security Windows BitLocker 0-Day Vulnerability Enables Access to Encrypted Drives ANY.RUN How Top SOCs and MSSPs Prevent Phishing Incidents Missed by Email Filters  Cyber Security Foxconn Confirms Cyberattack After Nitrogen Ransomware Gang Claim Cyber Security Fragnesia Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released