18-Year-Old NGINX Flaw Triggers Unauthenticated Remote Code Execution

May 15, 2026 at 05:46 PM

•

1 min read

18-Year-Old NGINX Flaw Triggers Unauthenticated Remote Code Execution — Photo: CyberSecurityNews

TL;DR Summary

A severe heap-buffer-overflow bug in NGINX’s ngx_http_rewrite_module (CVE-2026-42945, CVSS 9.2) allows unauthenticated remote code execution when rewrite and set directives are used together, affecting NGINX Open Source 0.6.27–1.30.0 and several F5/NGINX products; a working PoC is public. Patch guidance includes upgrading to NGINX 1.30.1 or 1.31.0 and auditing configurations that combine rewrite+set directives, with a recommendation to add a WAFlayer until patching is complete. Additional related CVEs include CVE-2026-42946 (high severity, memory corruption), CVE-2026-40701 (medium, use-after-free), and CVE-2026-42934 (medium, out-of-bounds read).

Topics:technology #cve-2026-42945 #cyber-security #heap-buffer-overflow #nginx #rce #rewritemodule

Share this article

Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks CyberSecurityNews
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE The Hacker News
18-year-old NGINX vulnerability allows DoS, potential RCE BleepingComputer
CVE-2026-42945: Critical NGINX Rewrite Flaw SOC Prime
NGINX is critically vulnerable: hackers can crash servers and run remote code with no authentication Cybernews

Reading Insights

Total Reads

Unique Readers

Time Saved

57 min

vs 58 min read

Condensed

99%

11,511 → 81 words

Want the full story? Read the original article

Read on CyberSecurityNews

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights