NGINX CVE‑2026‑42945 Exploited in the Wild – Worker Crashes and Conditional RCE

![Featured image]()

Why this NGINX bug matters now

On May 15, 2026 the NGINX project disclosed a critical heap‑buffer overflow in the ngx_http_rewrite_module (CVE‑2026‑42945). Within 48 hours, the vulnerability was observed in the wild by the threat‑intel firm VulnCheck, which reported active exploitation attempts against its honeypot fleet. The flaw affects every NGINX release from 0.6.27 up through 1.30.0, covering the majority of production web‑servers and reverse‑proxy deployments worldwide.

The CVSS v3.1 base score of 9.2 reflects two distinct impact paths:

1. Denial‑of‑service – crafted HTTP requests trigger a heap overflow that crashes the worker process, forcing a rapid respawn cycle that can exhaust CPU and memory.
2. Remote code execution (RCE) – on systems where Address Space Layout Randomization (ASLR) is disabled, the overflow can be turned into an arbitrary‑write primitive, allowing an unauthenticated attacker to inject and execute shellcode.

Both outcomes are serious, but the immediate danger is the DoS vector, which can be leveraged even on hardened systems. The RCE path, while conditional, is not theoretical; researchers have demonstrated successful exploitation on a minimal Docker container with ASLR turned off.

---

Technical deep‑dive: how the rewrite module breaks

The rewrite module parses the rewrite and return directives at request time. The vulnerable code allocates a fixed‑size buffer for the rewritten URI and then uses strcpy‑style logic to copy user‑supplied data without proper length checks. When a malicious request includes an overly long $uri value, the heap allocation is overflowed, corrupting adjacent metadata.

Key factors that make exploitation practical:

• Configuration dependence – the overflow only triggers when the server evaluates a rewrite rule that references a variable derived from the request line (e.g., $request_uri). Many sites use such rules for SEO redirects or language handling.
• Predictable heap layout – the module’s allocation pattern is stable across versions, giving attackers a reliable target for the overflow.
• ASLR bypass – disabling ASLR removes the randomization that would otherwise make the overwritten pointers unpredictable. Containers that inherit the host kernel’s memory layout often run with ASLR disabled for performance, creating a fertile attack surface.

Kevin Beaumont, senior security researcher at Qualys, summed it up: "It relies on a specific NGINX config to be vulnerable, and for an attacker to know or discover the config to exploit it. To reach RCE, ASLR also needs to be disabled on the box."

---

Real‑world exploitation signals

VulnCheck’s telemetry shows:

• Repeated HTTP GET requests containing a 12 KB payload in the request line, targeting ports 80 and 443 on public IP ranges.
• Honeypot crashes that match the stack trace of the rewrite module overflow, confirming successful DoS attempts.
• A single Chinese IP address that appears to be running a custom AI‑driven scanner (referred to by Caitlin Condon of VulnCheck as a "Vulnhuntr" implementation) which automatically probes for vulnerable rewrite patterns before dropping a PHP web shell.

While the ultimate payloads have not been publicly released, the pattern mirrors previous NGINX exploits where the initial crash is used as a foothold for a second‑stage payload once the attacker confirms the target is exploitable.

---

Mitigation checklist for operators

1. Upgrade immediately – the NGINX project released patches on May 16, 2026. Versions 1.30.1 (open source) and NGINX Plus 1.30.1 contain the fix. Apply the update through your package manager or pull the latest container image.
2. Verify ASLR is enabled – on Linux, ensure kernel.randomize_va_space = 2 in /etc/sysctl.conf. Restart the host or container after changing the setting.
3. Audit rewrite rules – look for any rewrite or return directives that incorporate $uri, $request_uri, or other request‑derived variables. If possible, replace them with static redirects or move the logic to an application layer.
4. Enable strict request‑line limits – set large_client_header_buffers and client_header_buffer_size to reasonable values (e.g., 1k and 4k). This reduces the chance of an oversized request line reaching the vulnerable code path.
5. Deploy a WAF rule – most modern web‑application firewalls (ModSecurity, Cloudflare, Fastly) have a signature for the overflow payload. Adding a rule that blocks requests with a request line longer than 8 KB can stop the attack in its tracks.
6. Monitor worker restarts – a sudden spike in nginx worker respawns is a strong indicator of exploitation. Configure alerts in your observability stack (Prometheus, Datadog, Splunk) to trigger on nginx_worker_processes restart counters.

---

Related threats: openDCIM chain attacks

VulnCheck also disclosed three critical flaws in openDCIM (CVE‑2026‑28515, CVE‑2026‑28516, CVE‑2026‑28517) that can be chained to achieve RCE in five HTTP requests. While unrelated to NGINX, the simultaneous disclosure highlights a broader trend: attackers are using automated AI‑driven scanners to hunt for multiple high‑severity bugs in a single campaign. Organizations that run both NGINX and openDCIM should prioritize patching both stacks.

---

Bottom line

The NGINX rewrite module overflow is a textbook example of a long‑standing code defect suddenly becoming weaponized. The combination of a low‑effort DoS vector and a conditional RCE path makes it a priority for any environment that still runs pre‑1.30.1 NGINX. Apply the vendor patches, enforce ASLR, and tighten your rewrite configuration today – the window for exploitation is already open.

---

Further reading

• NGINX security advisory: https://nginx.org/en/docs/security/advisories.html
• Official patch release notes: https://github.com/nginx/nginx/releases/tag/release-1.30.1
• VulnCheck blog post on the exploitation campaign: https://vulncheck.com/blog/nginx-cve-2026-42945-wild