An 18-year-old heap buffer overflow in NGINX, tracked as CVE-2026-42945, can cause denial of service and may allow remote code execution under specific conditions. DepthFirst AI also uncovered three additional memory corruption flaws in NGINX components, while F5 has released fixes for affected NGINX and related products. #CVE-2026-42945 #NGINX #F5 #DepthFirstAI
Keypoints
- CVE-2026-42945 is a critical heap buffer overflow in ngx_http_rewrite_module.
- The flaw affects NGINX versions 0.6.27 through 1.30.0.
- Exploitation is tied to specific rewrite and set directive configurations.
- The bug can reliably crash worker processes and may enable remote code execution in some setups.
- F5 released patches and recommends named captures as a workaround for unpatched systems.