NGINX Discloses 18-Year-Old Heap Buffer Overflow Allowing Unauthenticated Remote Code Execution

NGINX has disclosed a critical heap buffer overflow vulnerability in its rewrite module, tracked as CVE-2026-42945, that exposes servers to unauthenticated remote code execution or denial-of-service attacks. The flaw, present in NGINX installations for nearly two decades, requires no authentication to exploit—attackers need only send specially crafted HTTP requests to trigger the overflow. Security researchers are urging immediate action.

The vulnerability stems from how NGINX's rewrite module handles certain request patterns, creating a condition where heap memory can be overwritten via malformed requests. Unlike exploits requiring stolen credentials or insider access, this flaw allows complete remote compromise of affected servers with no prior foothold. The 18-year presence of this vulnerability in NGINX codebases raises questions about how long it may have gone undetected or, potentially, unexploited.

Organizations running NGINX—particularly those with F5 deployments that incorporate NGINX components—should patch immediately. As an interim mitigation, administrators can convert rewrite rules from unnamed to named captures, which reportedly avoids the vulnerable code path. Given the ubiquity of NGINX as a web server and reverse proxy across critical infrastructure, the potential attack surface is substantial. Security teams should prioritize asset identification, version scanning, and deployment of patches or compensating controls within standard incident response windows.