top of page

NGINX CVE-2026-42945 Worker Crash Vulnerability Exploited in the Wild with Potential RCE

  • May 17
  • 2 min read

Key Findings


  • NGINX vulnerability CVE-2026-42945 (CVSS 9.2) is actively exploited in the wild days after public disclosure

  • Heap buffer overflow in ngx_http_rewrite_module affects NGINX versions 0.6.27 through 1.30.0

  • Flaw can crash worker processes or enable remote code execution on systems with ASLR disabled

  • Exploitation requires specific NGINX configuration knowledge and crafted HTTP requests

  • VulnCheck detected weaponized exploitation attempts against honeypot networks

  • Two critical openDCIM vulnerabilities also under active exploitation with similar CVSS scores


Background


CVE-2026-42945 represents a significant security risk to NGINX deployments worldwide. The vulnerability stems from a heap buffer overflow introduced in 2008 within the ngx_http_rewrite_module. The flaw emerges when a rewrite directive is followed by another rewrite, if, or set directive using unnamed Perl-Compatible Regular Expression captures with question marks in the replacement string. The issue went undetected for years before researchers at depthfirst identified and disclosed it publicly.


Exploitation Conditions and Impact


The vulnerability enables unauthenticated attackers to send specially crafted HTTP requests that trigger the heap buffer overflow. At minimum, this causes worker process crashes, resulting in denial of service. However, the path to full remote code execution is more constrained. Code execution requires Address Space Layout Randomization to be disabled, a security feature that is enabled by default on modern systems including all supported AlmaLinux releases.


Security researcher Kevin Beaumont emphasized that successful RCE exploitation demands attackers to know the specific NGINX configuration and disable ASLR, making it a more complex attack than a simple crash. AlmaLinux maintainers acknowledged that while turning the heap overflow into reliable code execution is difficult with default configurations, it remains theoretically possible, warranting urgent patches regardless.


Active Threat Activity


VulnCheck's threat intelligence teams detected threat actors actively exploiting CVE-2026-42945 against their honeypot infrastructure. The nature and objectives of these attacks remain unclear, but the rapidity of weaponization following disclosure indicates determined adversaries. F5 has released patches for both NGINX Plus and NGINX Open Source, and organizations should apply these fixes immediately to protect against ongoing threats.


OpenDCIM Vulnerabilities Also Compromised


Concurrent with NGINX exploitation, VulnCheck researcher Valentin Lobstein discovered three critical vulnerabilities in openDCIM, an open-source data center infrastructure management application. CVE-2026-28515 involves missing authorization checks in LDAP configuration functionality. CVE-2026-28517 represents an operating system command injection flaw in the report_network_map.php component. CVE-2026-28516 is an SQL injection vulnerability affecting the application.


Attackers can chain these three vulnerabilities across five HTTP requests to achieve remote code execution and establish reverse shells. Lobstein documented that adversaries are leveraging customized implementations of the Vulnhuntr AI vulnerability discovery tool to automatically identify vulnerable openDCIM installations before deploying PHP web shells. Activity traced to a single Chinese IP address suggests coordinated campaign operations.


Sources


  • https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html

  • https://nvd.nist.gov/vuln/detail/CVE-2026-42945

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page