NGINX Plus heap overflow, unauth (CVE-2026-42945) [PoC]

Exploitation confirmed - public proof-of-concept - CVE-2026-42945 is a critical heap buffer overflow in NGINX Plus and NGINX Open Source that lets an unauthenticated attacker crash the worker process and potentially execute code on systems without ASLR. Patches are available; update immediately.

Overview

CVE-2026-42945 affects NGINX Plus and NGINX Open Source installations that use the ngx_http_rewrite_module. The vulnerability is triggered when a rewrite directive is followed by another rewrite, if, or set directive containing an unnamed PCRE capture (such as $1 or $2) in a replacement string that includes a question mark (?).

An unauthenticated attacker can send specially crafted HTTP requests to exploit this condition. When successful, the attack causes a heap buffer overflow in the NGINX worker process, leading to a crash and restart of that worker. On systems where ASLR is disabled, the overflow may allow arbitrary code execution.

This vulnerability has a CVSS score of 9.2 (Critical). The attack vector is network-based, requires no privileges, and no user interaction. However, the attack complexity is high, meaning the attacker needs specific conditions beyond their control to align for successful exploitation.

Note that software versions which have reached End of Technical Support are not evaluated, so users on unsupported branches should upgrade to a supported release.

Affected Products

• NGINX Open Source (all versions with ngx_http_rewrite_module enabled)
• NGINX Plus (all versions with ngx_http_rewrite_module enabled)

Impact

The primary impact is denial of service through worker process crashes. On systems without ASLR protections, code execution is possible, which could lead to full server compromise, data theft, or lateral movement within the network.

Remediation and Mitigation

• Update to the latest patched version of NGINX Plus or NGINX Open Source from the official repositories.
• If immediate patching is not possible, consider disabling the ngx_http_rewrite_module if your configuration does not require it.
• Ensure ASLR is enabled on all production systems to reduce the risk of code execution.
• Review your NGINX configurations for patterns matching the vulnerable directive sequence and remove unnecessary rewrite rules.

For continuous monitoring, refer to security news for emerging threats and breach reports for incident response guidance.

Security Insight

This vulnerability demonstrates the ongoing risk of memory safety issues in high-performance C-based infrastructure software. NGINX has historically had a strong security record, but this finding highlights that even well-audited codebases can harbor subtle memory corruption bugs in lesser-used edge cases. The attack complexity required to trigger this flaw likely limits its real-world exploitation to targeted attacks rather than broad scanning, but the availability of a proof-of-concept means defenders should treat it as an urgent patching priority. Organizations running NGINX as a reverse proxy or API gateway should prioritize this update alongside TLS and authentication hardening.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs