NGINX Rewrite Module Flaw Allows Unauthenticated Remote Code Execution (CVE-2026-42945)
Security researchers disclosed a critical, unauthenticated heap-buffer-overflow in NGINX's ngx_http_rewrite_module (CVE-2026-42945) that can enable remote code execution or DoS by sending a crafted URI; the flaw, which remained undetected for 18 years, affects NGINX Plus and Open Source and is more dangerous on systems with ASLR disabled. Patches are available across multiple products (NGINX Plus R32–R36, Open Source 1.30.1–1.31.0, among others), along with fixes for CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934. Administrators should upgrade to the latest versions or, if patching isn’t feasible, modify rewrite directives to use named captures to mitigate exposure.