Ethical Hacking News
A new vulnerability has been discovered in the popular open-source web server NGINX, which can be exploited for denial-of-service (DoS) attacks and, under certain conditions, remote code execution (RCE). The vulnerability, dubbed CVE-2026-42945, was discovered on April 18, 2026, using an autonomous scanning system, and affects a wide range of NGINX builds. Organizations relying on NGINX are advised to prioritize patching their installations as soon as possible, with alternative mitigation techniques available for those unable to upgrade immediately.
Researchers at DepthFirst have identified a critical heap buffer overflow vulnerability (CVE-2026-42945) in NGINX, which can be exploited for denial-of-service (DoS) attacks and remote code execution (RCE).The vulnerability impacts various NGINX builds, including Open Source versions 0.6.27 through 1.30.0, NGINX Plus R32 through R36, and F5 WAF for NGINX.The flaw is caused by inconsistent state handling in NGINX's internal script engine, which can lead to a heap buffer overflow when processing rewrites.DepthFirst demonstrated unauthenticated code execution via specially crafted HTTP requests on systems with ASLR protection turned off.The vulnerability has significant implications for organizations relying on NGINX, which powers a third of the top-ranked websites.F5 recommends replacing unnamed PCRE capture groups to mitigate the vulnerability, and advises disabling ASLR protection as an alternative.
A recent discovery by researchers at AI-native security company DepthFirst has shed light on a critical vulnerability in the popular open-source web server, NGINX. The newly identified flaw, dubbed CVE-2026-42945, is a heap buffer overflow that can be exploited for denial-of-service (DoS) attacks and, under certain conditions, remote code execution (RCE).
The vulnerability was discovered on April 18, 2026, using an autonomous scanning system, and was reported to the vendor on April 21. According to F5's security advisory, released yesterday, the flaws impact the following NGINX builds: NGINX Open Source versions 0.6.27 through 1.30.0, NGINX Plus R32 through R36, NGINX Instance Manager 2.16.0 through 2.21.1, F5 WAF for NGINX 5.9.0 through 5.12.1, NGINX App Protect WAF 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0, F5 DoS for NGINX 4.8.0, and NGINX App Protect DoS 4.3.0 through 4.7.0.
The vulnerability stems from inconsistent state handling in NGINX's internal script engine, which processes rewrites in two passes: one to calculate the amount of memory to allocate, and one to copy the actual data. The researchers noted that an 'is_args' flag remains set after a rewrite containing '?', causing NGINX to calculate buffer size using unescaped URI lengths but later write larger escaped data like '+'' and '&'. This leads to a heap buffer overflow.
DepthFirst demonstrated unauthenticated code execution via specially crafted HTTP requests that corrupt adjacent NGINX memory pool structures, overwrite cleanup handler pointers, spray fake structures into memory via POST request bodies, and force NGINX to execute 'system()' during pool cleanup. However, remote code execution was achieved on a system with the Address Space Layout Randomization (ASLR) protection against memory-based attacks turned off.
The researchers explained that NGINX's multi-process architecture makes exploitation easier because worker processes inherit nearly identical memory layouts from the master process, enabling reliable heap manipulation and repeated attempts if a worker crashes. "If our exploit fails and crashes a worker, the master process simply spawns a new one with the exact same memory layout," they said. "This allows us to safely try multiple times until we succeed without worrying about the worker crashing and changing the memory layout."
DepthFirst noted that theoretically, an attacker could leverage this design to leak ASLR by progressively overwriting pointers byte by byte.
The vulnerability has significant implications for organizations relying on NGINX, which is a massively used web server and reverse proxy platform powering a third of the top-ranked websites. It can efficiently balance load by distributing incoming network traffic to multiple backend servers and reduce load times by caching content.
Owned and maintained by American tech firm F5, NGINX is used by cloud providers, SaaS companies, banks, media platforms, e-commerce sites, and in Kubernetes clusters.
To mitigate this vulnerability, F5 recommends replacing unnamed PCRE capture groups ($1, $2, etc.) in vulnerable 'rewrite' rules with named captures, which eliminates the main exploitation prerequisite. For those unable to upgrade, this patch can be achieved by modifying configuration files without causing any disruptions to service.
However, for organizations that cannot immediately update their NGINX installations, they are advised to prioritize replacing unnamed PCRE capture groups as soon as possible. In the absence of an immediate fix, disabling ASLR protection may also provide some mitigation against this vulnerability.
The discovery of this critical vulnerability serves as a stark reminder of the importance of ongoing patch management and vulnerability assessment for organizations relying on open-source software components.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Vulnerability-Discovered-in-NGINX-Web-Server-Potential-for-DoS-and-Remote-Code-Execution-ehn.shtml
https://www.bleepingcomputer.com/news/security/18-year-old-nginx-vulnerability-allows-dos-potential-rce/
https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html
https://nvd.nist.gov/vuln/detail/CVE-2026-42945
https://www.cvedetails.com/cve/CVE-2026-42945/
Published: Thu May 14 10:54:38 2026 by llama3.2 3B Q4_K_M
