Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploitation of Critical NGINX Vulnerability Begins

The flaw leads to denial-of-service on default configurations and to remote code execution if ASLR is disabled.

Nginx vulnerability

The first in-the-wild attacks exploiting a critical-severity NGINX vulnerability patched last week have occurred over the weekend, VulnCheck warns.

Tracked as CVE-2026-42945 (CVSS score of 9.2) and dubbed Nginx Rift, the flaw is described as a heap buffer overflow in the ngx_http_rewrite_module component. It lurked in the NGINX code for 16 years.

Shortly after F5 released patches for the bug, Depthfirst published technical details and proof-of-concept (PoC) code targeting it. Now, VulnCheck says threat actors are already exploiting the issue in attacks.

“We’re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published,” VulnCheck researcher Patrick Garrity warned.

The security defect exists because the script engine relies on a two-pass process to calculate the buffer size and copy data to it, and because the internal engine state changes between these passes. In certain conditions, an unpropagated flag results in attacker-supplied data being written past the heap boundary.

On default deployments, successful exploitation of the CVE would trigger a server restart, causing a denial-of-service (DoS) condition. If Address Space Layout Randomization (ASLR) is disabled, the vulnerability can lead to remote code execution (RCE).

Advertisement. Scroll to continue reading.

As VulnCheck points out, the bug can be exploited remotely, without authentication, via crafted HTTP requests, but requires a specific rewrite configuration.

While crashing the NGINX worker process is fairly trivial with a single crafted request, achieving RCE is more difficult, as most deployments have ASLR enabled by default.

“Our Censys query surfaces roughly 5.7M internet-exposed NGINX servers running a potentially vulnerable version, though the truly exploitable population is likely to be a much smaller subset of those,” VulnCheck says.

The vulnerability demands urgent attention, security researchers warn. Wider exploitation attempts against vulnerable deployments are to be expected, especially since the public PoC can be used to disable ASLR and achieve RCE.

Related: Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild

Related: Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026

Related: New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks

Related: Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.