Critical NGINX Bug: DoS & Potential RCE in 18-Year-Old Flaw

A security flaw that has lurked in the NGINX open-source web server for nearly two decades has been unearthed by an autonomous scanning system. The vulnerability, which can trigger denial of service (DoS) attacks and, in specific scenarios, remote code execution (RCE), has been assigned the identifier CVE-2026-42945 and carries a critical severity score of 9.2 under the latest CVSS framework.

Researchers at DepthFirst AI, an AI-native security firm, discovered this bug along with three additional memory corruption issues during a concentrated six-hour code scanning session. NGINX, a widely adopted web server and reverse proxy platform, powers roughly one-third of the world’s top websites. It is owned by F5 and used extensively by cloud providers, SaaS companies, financial institutions, media outlets, e-commerce sites, and within Kubernetes clusters for its load balancing and content caching capabilities.

The flaw, a heap buffer overflow in the ngxhttprewritemodule, has been present in the codebase since version 0.6.27, affecting all builds up to 1.30.0. It is triggered when NGINX configurations combine the ‘rewrite’ and ‘set’ directives,a pattern DepthFirst notes is common in API gateways and reverse proxy setups. The issue stems from inconsistent state handling in the internal script engine, which processes rewrites in two passes: first to calculate memory allocation, then to copy the actual data. A flag called ‘isargs’ remains set after a rewrite containing a ‘?’, causing NGINX to miscalculate buffer sizes. It allocates memory based on unescaped URI lengths but later writes larger escaped characters, such as ‘+’ and ‘&’, leading to an overflow.

The researchers demonstrated unauthenticated code execution by crafting HTTP requests that corrupt adjacent memory pool structures, overwrite cleanup handler pointers, spray fake structures into memory via POST request bodies, and force NGINX to execute the system() function during pool cleanup. However, this RCE was achieved on a system where Address Space Layout Randomization (ASLR) was disabled. ASLR is active by default but is sometimes turned off in embedded systems or virtual machines to boost performance.

DepthFirst also highlighted that NGINX’s multi-process architecture simplifies exploitation. “If our exploit fails and crashes a worker, the master process simply spawns a new one with the exact same memory layout,” the researchers explained. “This allows us to safely try multiple times until we succeed without worrying about the worker crashing and changing the memory layout. Theoretically, we could leverage this design to leak ASLR by progressively overwriting pointers byte by byte.”

The three additional vulnerabilities discovered during the same session received medium severity ratings: CVE-2026-42946 involves excessive memory allocation in SCGI/UWSGI modules, enabling worker crashes via roughly 1 TB allocations; CVE-2026-40701 is a use-after-free bug in asynchronous OCSP DNS resolution handling; and CVE-2026-42934 is an off-by-one UTF-8 parsing error causing out-of-bounds reads.

The flaws were reported to F5 on April 21, 2026, and the vendor released a security advisory yesterday. Affected builds include NGINX Open Source 0.6.27 through 1.30.0, NGINX Plus R32 through R36, and several other F5 products. Fixes are available in NGINX Open Source 1.31.0 and 1.30.1, as well as NGINX Plus R36 P4 and R32 P6. For those unable to upgrade, F5 recommends replacing unnamed PCRE capture groups in vulnerable rewrite rules with named captures, which removes the primary exploitation prerequisite.

Some security experts have tempered the alarm around CVE-2026-42945. Researcher Kevin Beaumont pointed out that exploitation requires a specific NGINX configuration using particular rewrite patterns, knowledge of the affected endpoint, and was demonstrated with ASLR disabled. He stressed that the published proof-of-concept was built against a deliberately vulnerable setup and does not indicate reliable code execution on hardened systems. AlmaLinux, after independently reproducing the flaw, confirmed that crashing NGINX worker processes is trivial, making DoS attacks realistic. However, they stated that achieving dependable RCE on systems with ASLR enabled “is not trivial” and that a generic, reliable exploit is unlikely to emerge from DepthFirst’s work. Still, AlmaLinux cautioned that “not easy” does not mean impossible, and the DoS potential alone makes the issue urgent.