A newly disclosed security flaw in NGINX Plus and NGINX Open is already being actively exploited in the wild, just days after its public disclosure, according to VulnCheck. The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in the ngx_http_rewrite_module that affects NGINX versions 0.6 and later. From 9.33 down to 1.30.0. According to AI-native security firm Depthfirst, the vulnerability was introduced back in 2008. If successfully exploited, the flaw allows an unauthenticated attacker to crash worker processes or execute arbitrary remote code by sending specially crafted HTTP requests. It is worth noting, however, that code execution is only possible on systems where Address Space Layout Randomization (ASLR)—a protection against memory corruption attacks—has been disabled. “It depends on a particular NGINX configuration being vulnerable, and on the attacker knowing or being able to discover that configuration in order to exploit it,” security researcher Kevin Beaumont said. Reaching RCE also requires that ASLR has been disabled on the target system. In a comparable evaluation, the AlmaLinux team noted that converting the heap overflow into dependable code execution is not straightforward under default settings. On systems with ASLR active—which is standard across all supported AlmaLinux versions—they do not anticipate that creating a universal, dependable exploit would be simple. That said, „not easy“ does not mean „impossible,“ and the worker-crash DoS alone is exploitable enough that we recommend treating this as an urgent issue,“ the maintainers added. According to the latest VulnCheck findings, threat actors have already started weaponizing the vulnerability, with exploitation attempts observed against its honeypot networks. The specifics of the attack and its ultimate objectives remain unknown.
The Hacker News