Researchers have discovered a critical vulnerability in NGINX that allows attackers to remotely execute code on servers running the popular web server. The flaw is believed to have existed since 2008 and, according to the researchers, affects virtually all modern versions of NGINX.
The vulnerability, registered as CVE-2026-42945, received a CVSS score of 9.2. The issue lies in the processing of rewrite and set directives within NGINX configurations. These functions are widely used in reverse proxies, API gateways, and ingress controllers to dynamically modify URLs or temporarily store request information.
According to security researchers at Depthfirst, the issue arises from a flaw in NGINX’s internal scripting engine. That engine first calculates how much memory is needed to construct a new URL and then writes the final data. Due to an inconsistency in an internal status variable, sometimes too little memory is reserved, while during the second step more data is written than anticipated. This leads to a heap buffer overflow.
Researchers Demonstrate RCE
The researchers claim they succeeded in turning the memory error into a working exploit for remote code execution (RCE). To do so, they exploited the predictable memory structure of NGINX worker processes. By manipulating multiple connections and injecting malicious data into memory, they were able to overwrite internal pointers and execute system commands.
According to the research, the exploit can be executed without authentication. However, the proof of concept was tested with Address Space Layout Randomization (ASLR) disabled. That security mechanism typically makes memory attacks more difficult.
BleepingComputer reports that several security researchers have raised concerns about the practical feasibility of the attack on fully hardened production systems. Kevin Beaumont, among others, points out that specific configurations are required and that the published exploit runs on an environment that has been deliberately made vulnerable.
AlmaLinux also qualifies the impact. The Linux distribution confirms that it is relatively easy to crash NGINX worker processes via the vulnerability, making denial-of-service attacks a realistic possibility. However, according to AlmaLinux, reliable remote code execution with ASLR enabled would be significantly more difficult.
Patches and temporary workaround
The researchers specifically cite configurations where rewrite and set are used together as risky. Such combinations are common in modern API infrastructures and Kubernetes environments.
F5 has since released patches for affected versions of NGINX and related products. Fixes are available in NGINX Open Source 1.31.0 and 1.30.1, as well as in NGINX Plus R36 P4 and R32 P6.
For organizations that cannot upgrade immediately, F5 recommends modifying vulnerable rewrite rules. In doing so, numbered regex captures such as $1 and $2 must be replaced with named captures. According to the company, this eliminates a key prerequisite for successful exploitation.
Autonomous analysis system found multiple vulnerabilities
A notable aspect of the research is that the flaws were largely discovered automatically by an autonomous analysis system from Depthfirst. That system analyzed NGINX’s source code and, according to the company, identified five potential memory errors. Four of these were ultimately confirmed by NGINX.
In addition to the critical RCE vulnerability, these include an issue that can cause extreme memory consumption in SCGI and uWSGI modules, a use-after-free bug in the SSL module, and an out-of-bounds read in the charset module.
The researchers report that the main vulnerability is present in NGINX Open Source versions from 0.6.27 through 1.30.0. Several commercial products from F5 based on NGINX are also reportedly vulnerable, including NGINX Plus, App Protect WAF, and various ingress controllers for Kubernetes.