A critical heap buffer overflow vulnerability in NGINX has entered active exploitation in the wild within days of public disclosure. Tracked as CVE-2026-42945, the flaw carries a CVSS score of 9.2 and resides in the ngx_http_rewrite_module component.
The vulnerability affects NGINX versions 0.6.27 through 1.30.0, spanning both NGINX Plus and NGINX Open source distributions. Threat actors exploit the flaw to trigger worker process crashes and potentially achieve remote code execution on affected servers.
VulnCheck confirmed active exploitation attempts in the wild shortly after the vulnerability entered public view. The rapid shift from disclosure to weaponization highlights the threat actors' ability to operationalize critical NGINX flaws quickly.
The heap buffer overflow occurs within NGINX's rewrite module, a core component responsible for URL manipulation and request routing. By crafting malicious input, attackers trigger memory corruption that destabilizes worker processes. In certain configurations, attackers escalate beyond denial of service to achieve code execution within the NGINX process context.
Organizations running NGINX as a reverse proxy, load balancer, or web server face immediate risk. Web applications sitting behind vulnerable NGINX instances become attack vectors. Compromised NGINX processes grant attackers network-level access to backend systems and sensitive data passing through the proxy.
The vulnerability's high CVSS rating reflects both the ease of exploitation and the severity of impact. No user interaction is required. A single malformed HTTP request triggers the buffer overflow.
Patches exist in NGINX 1.30.1 and later versions. Organizations must prioritize testing and deploying updates across all affected deployments. Temporary mitigations include restricting access to the rewrite module or disabling URL rewriting if operationally feasible, though these measures represent band-aids rather than solutions.