NGINX flaw enables remote code

F5 disclosed a flaw in NGINX on May 13 that the company said can let remote attackers crash worker processes and, in some cases, execute code. The bug, tracked as CVE-2026-42945, sits in the `ngx_http_rewrite_module` and affects NGINX Open Source versions 0.6.27 through 1.30.0, according to the NGINX security advisories page. (my.f5.com) Researcher depthfirst published a public proof-of-concept exploit on GitHub a day later and said the vulnerable code path dates to 2008. F5’s advisory says the issue is in the data plane, not the control plane. (nginx.org) ### Which NGINX versions are affected, and which ones are fixed? NGINX’s own security advisory lists CVE-2026-42945 as fixed in versions 1.31.0 and 1.30.1. The same advisory lists vulnerable open-source versions as 0.6.27 through 1.30.0. Depthfirst’s GitHub repository says NGINX Plus releases R32 through R36 are affected, with fixes in R36 P4, R35 P2 and R32 P6. F5’s May 2026 quarterly security notification lists the rewrite-module issue among the vulnerabilities disclosed on May 13. (my.f5.com) ### What exactly is the bug in the rewrite module? Depthfirst says the flaw is a heap buffer overflow in NGINX’s two-pass script engine. In the researcher’s description, the first pass calculates buffer length while a sub-engine starts with `is_args = 0`, but the later copy pass can run with `is_args = 1`, causing URI escaping to expand bytes beyond the size originally allocated. (nginx.org) CVE Reports, summarizing the assigned CVE, describes the issue as a heap-based buffer overflow caused by an inconsistency in the two-pass script execution engine in `ngx_http_rewrite_module`. (github.com) That mismatch can produce memory corruption when specific configuration conditions are present. ### Does this mean every NGINX server can be taken over remotely? F5 says the immediate impact is denial of service and “possibly” code execution, adding that code execution is possible on systems with Address Space Layout Randomization, or ASLR, disabled. (github.com) The company does not describe the bug as universal remote takeover across all deployments. BleepingComputer reported the flaw allows denial of service broadly and remote code execution under certain conditions. Depthfirst’s proof-of-concept README says the exploit targets servers that use both `rewrite` and `set` directives, which the repository describes as the trigger condition for the public exploit. (cvereports.com) ### Why are researchers calling it an 18-year-old flaw? Depthfirst’s repository says the vulnerable code was introduced in 2008. NGINX’s advisory range begins at version 0.6.27, and multiple reports tied the first affected release to 2008, producing the “18-year-old” label used in coverage this week. (my.f5.com) The age of the flaw refers to when the bug entered the codebase, not to when it was publicly disclosed. The public disclosure from F5 and the related advisory pages were published on May 13, 2026, with the GitHub proof-of-concept appearing the next day. (bleepingcomputer.com) ### What should operators check first? F5’s advisory points administrators to fixed releases and says the issue is limited to the data plane. NGINX’s advisory page identifies 1.31.0 and 1.30.1 as the non-vulnerable open-source versions, which gives operators the primary version check. (github.com) Depthfirst’s repository gives defenders a second check: whether deployed configurations use `rewrite` and `set` directives in the vulnerable module. The repository also links to the vendor advisory and includes a reproducible test environment and exploit code, which security teams can use to validate exposure in controlled conditions. (my.f5.com) F5’s advisory K000161019 and the NGINX security advisories page were both available as of May 15, and the public GitHub repository remained online with exploit details and affected-version tables. (my.f5.com) (github.com)