CRITICAL: 18-Year-Old NGINX Rewrite Module Flaw Hits Active Exploitation in Days

Pour one out for the assumption that boring, battle-tested infrastructure is automatically safe. CVE-2026-42945, a heap buffer overflow buried inside NGINX's rewrite module since 2008, went from coordinated disclosure to active exploitation in roughly seventy-two hours. The world's most popular web server, the quiet workhorse behind a sizable chunk of the internet, is now under attack from a bug that predates most of the engineers running it.

The vulnerability lives in ngx_http_rewrite_module, the component that handles URL rewriting rules every reverse proxy admin has touched at some point. F5, which maintains NGINX, published the advisory on May 13 with a critical severity rating that most trackers are pegging at CVSS 9.2, though the F5-submitted NVD entry currently shows 8.1 due to the high attack complexity score. Either way, by May 16 VulnCheck's honeypot network was already catching weaponized exploitation attempts in the wild. That is not a coincidence. A public proof of concept dropped alongside the disclosure on the depthfirst research site, and attackers wasted no time wiring it into their scanning rotations.

Here is what the flaw actually does in plain terms. When NGINX processes certain rewrite configurations, it mismanages memory allocations on the heap, classified as CWE-122. The bug triggers when a rewrite directive uses an unnamed Perl-Compatible Regular Expression capture such as $1 or $2, the replacement string contains a question mark, and another rewrite, if, or set directive follows in the same scope. That combination of conditions is more common than it sounds. Anyone who has hand-rolled redirect rules, query string manipulation, or A/B testing logic in NGINX has probably written configurations that meet this pattern, often without realizing it.

The blast radius is staggering. Affected versions span NGINX 0.6.27 through 1.30.0, covering both the open source release and NGINX Plus. That is essentially every version anyone has run in production for the last decade and a half. F5 shipped fixed builds in NGINX Open Source 1.30.1 and 1.31.0, with corresponding patches landing for NGINX Plus customers through normal support channels. If you are running anything older than those releases on an internet-facing host, you are exposed right now.

The exploitation picture has two distinct tiers, which is why some advisories are calling this critical while others are leaning toward serious denial of service rather than full remote code execution. Crashing a worker process with a crafted HTTP request is trivial and reliable. An attacker who can identify a vulnerable configuration can knock workers over repeatedly, causing service degradation or outright outages for any site or API sitting behind that NGINX instance. Reliable remote code execution is harder. Security researcher Kevin Beaumont noted that RCE "relies on a specific NGINX config to be vulnerable, and for an attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box." AlmaLinux maintainers echoed the sentiment, observing that turning the heap overflow into reliable code execution is not trivial when ASLR is enabled by default.

That does not mean RCE is off the table. It means RCE is going to be opportunistic, hitting boxes where ASLR was disabled for legacy compatibility reasons, where embedded appliances ship with hardening turned off, or where minimal container images skip protections to save a few cycles. Every red team worth its retainer is going to enumerate those targets first. Meanwhile, the denial of service angle is essentially universal across vulnerable installations, and a sustained worker crash loop against a load balancer is its own kind of incident, especially for organizations that built their entire customer-facing stack on the assumption that NGINX simply does not fall over.

Attribution on the disclosure side belongs to depthfirst, the AI-native security research firm that surfaced the bug after deep static and dynamic analysis of the rewrite module. They published technical details and a working proof of concept on GitHub the same day the advisory went live, which is responsible disclosure done by the book. Except the book never quite accounts for how fast modern attackers operationalize a public PoC. Within three days of the GitHub repository going public, internet-wide scanning was hammering vulnerable configurations. Exploit attempts now include both crash payloads and shellcode delivery attempts targeting servers where defenders made the mistake of disabling memory protections.

Detection is going to be uglier than usual because vulnerable behavior triggers inside a process that is supposed to handle a constant stream of weird HTTP traffic. The clearest signal is a sudden spike in NGINX worker process crashes recorded in the error log. Look for entries indicating a worker exited on signal 11 or signal 6, particularly when correlated with specific request patterns. Anomalous request paths that include the characteristic rewrite triggers, especially URLs with unusual encoded characters or trailing question marks where they should not be, are another tell. Network defenders should review WAF logs for unexpected 5xx clusters tied to particular client IPs, and SOC teams should add monitoring for nginx restart events that exceed baseline by any meaningful margin. Treat any unexplained worker exit in the last week as suspect until proven otherwise.

For immediate response, the priority is upgrading. NGINX Open Source users need to move to 1.30.1 or 1.31.0 today, not next sprint. NGINX Plus customers should apply the corresponding hotfix from F5 immediately. If a hard upgrade window cannot happen in the next twenty-four hours, the interim mitigation is to audit rewrite configurations and remove or restructure any directives that match the vulnerable pattern. That means hunting through every server block, location block, and included config file for rewrite rules that combine unnamed PCRE captures, question marks in replacements, and adjacent rewrite, if, or set directives. It is tedious work, and it should happen before patching only if patching genuinely cannot. Also confirm ASLR is enabled across every host running NGINX, because that single kernel setting is the difference between a denial of service event and an actual breach.

This vulnerability is going to be in the headlines for weeks because of how much of the internet runs NGINX. CDNs, API gateways, Kubernetes ingress controllers, load balancers in front of legacy applications, the reverse proxy somebody set up in 2014 and never touched again, all of it is potentially in scope. Ingress NGINX in particular deserves immediate attention because Kubernetes clusters often run older versions and treat the ingress controller as set-and-forget infrastructure. Cloud-native shops with autoscaling NGINX fleets need to make sure their base images get rebuilt, not just rolling restart their existing pods. CISA had not yet added CVE-2026-42945 to the Known Exploited Vulnerabilities catalog at the time of this writing, but given the exploitation telemetry coming out of VulnCheck, that addition is a matter of when, not if.

There is also a broader lesson buried in the eighteen years this bug spent hiding in plain sight. NGINX is open source, widely reviewed, deployed by the largest companies on earth, and audited by countless security teams. A heap buffer overflow in one of its most-used modules still slipped through every set of human eyes that looked at the code, only surfacing when an AI-assisted static analysis pipeline started asking different questions. Defenders should take that as a useful data point about the future of vulnerability research and the freshness of bugs that are about to start hitting the wire.

For MSPs and security partners, this is the kind of event that pays for itself if you move fast. Every client running web infrastructure needs a same-day vulnerability assessment to confirm their NGINX versions and identify exposed configurations, and that is a billable engagement with clear urgency baked in. Beyond the immediate patching sprint, this is also the moment to pitch ongoing managed vulnerability detection and response services to clients who have been on the fence, because the seventy-two hour window between disclosure and exploitation is exactly why reactive patching alone is no longer a defensible posture.