18-Year-Old NGINX Rewrite Module Heap Overflow Exposes Servers to Remote Code Execution

A critical vulnerability embedded in NGINX's rewrite module went undetected for nearly two decades before depthfirst researchers uncovered the flaw during a security audit. The heap buffer overflow, tracked as CVE-2026-42945, carries a CVSS v4 score of 9.2 and affects both NGINX Plus and NGINX Open source distributions. The flaw resides in ngx_http_rewrite_module, a component widely deployed across production web servers globally.

The vulnerability enables unauthenticated remote code execution, meaning attackers with network access could execute arbitrary code without possessing valid credentials. Depthfirst's analysis confirmed the overflow occurs during rewrite directive processing, allowing memory corruption that could be weaponized for server compromise. The 18-year dormancy period is particularly alarming given NGINX's market dominance as one of the most widely used web server and reverse proxy solutions worldwide.

Organizations running NGINX deployments should prioritize patching immediately, as proof-of-concept development by threat actors remains a foreseeable risk. The extended exposure window raises questions about existing compromise, since any prior exploitation would have left no obvious traces. Security teams should audit server configurations for suspicious rewrite rules and monitor for indicators of lateral movement. NGINX has released updates addressing this flaw; however, the legacy nature of the vulnerability suggests legacy or unmaintained instances may remain vulnerable for extended periods.