NGINX CVE-2026-42945: An 18-Year-Old Heap Overflow Now Actively Exploited

A heap buffer overflow that has existed inside the NGINX codebase since 2008 is now under active exploitation in the wild. Tracked as CVE-2026-42945 and assigned a CVSS score of 9.2, the vulnerability affects the ngx_http_rewrite_module across all versions of NGINX Open Source and NGINX Plus from 0.6.27 through 1.30.0. Researchers at depthfirst, an AI-native security firm, traced the bug to a commit made nearly two decades ago — meaning it has survived every release cycle, every security audit, and every upgrade NGINX has undergone since.

The Technical Picture

The flaw is a classic heap buffer overflow. When an attacker sends a specially crafted HTTP request to a server with a vulnerable rewrite configuration, the request triggers memory corruption on the heap. The immediate consequence is a worker process crash — a reliable denial-of-service vector that requires nothing more than a single malicious request. In more dangerous scenarios, an attacker can leverage the corruption for remote code execution (RCE), potentially running arbitrary commands on the target.

There is a significant caveat: reliable RCE depends on Address Space Layout Randomization (ASLR) being disabled on the target system. ASLR is enabled by default on every modern Linux distribution, including AlmaLinux, Ubuntu, Debian, and RHEL. AlmaLinux maintainers acknowledged that while "turning the heap overflow into reliable code execution is not trivial in the default configuration," they also warned that "'not easy' is not 'impossible,' and the worker-crash DoS is exploitable enough on its own that we recommend treating this as urgent."

Exploitation Is Already Happening

VulnCheck's honeypot network has detected live exploitation attempts just days after the public disclosure. While the campaign's objectives and full scope remain under investigation, the speed of weaponization matches a broader trend: the gap between CVE publication and in-the-wild exploitation has collapsed from months to days.

NGINX powers roughly one-third of all websites globally. The sheer size of the attack surface — combined with the triviality of triggering the DoS vector — makes this vulnerability especially dangerous for organizations that cannot patch quickly.

A Parallel Campaign: openDCIM

VulnCheck simultaneously reported attackers exploiting three chained vulnerabilities in openDCIM, an open-source data center infrastructure management tool:

• CVE-2026-28515 (CVSS 9.3) — Missing authorization allowing unauthorized LDAP configuration access
• CVE-2026-28516 (CVSS 9.3) — SQL injection vulnerability
• CVE-2026-28517 (CVSS 9.3) — OS command injection in report_network_map.php

Chained together, these three flaws enable remote code execution over just five HTTP requests and spawn a reverse shell. VulnCheck observed attackers using an AI-assisted discovery tool (Vulnhuntr) to automate the identification of vulnerable instances and drop PHP web shells. The attack cluster originates from a single Chinese IP address.

What to Do Right Now

Patch immediately. F5 has released fixes for all affected NGINX versions. Upgrade to NGINX 1.30.1 or newer for open source deployments, or apply updates through the F5 customer portal for NGINX Plus. Distribution packages from AlmaLinux, Debian, Ubuntu, and RHEL are shipping backported fixes — check your package manager.

For environments that cannot patch immediately:

• Restrict network access to NGINX on ports 80 and 443
• Audit rewrite configurations and disable unnecessary rules
• Verify ASLR is enabled (cat /proc/sys/kernel/randomize_va_space should return 2)

For openDCIM users: take any internet-facing deployment offline until patches are applied. The exploit chain provides reliable remote access to the underlying operating system.

The Bigger Lesson

An 18-year-old vulnerability in one of the most trusted pieces of internet infrastructure should reset expectations about software security. Age does not guarantee safety. The patch latency window — now measured in single-digit days — has become the single most important metric for defenders. Organizations that treat every critical CVE as an active, imminent threat are the ones that survive.

---

Full article with additional context at susiloharjo.web.id.