ForumsExploitsNGINX RCE Alert: CVE-2026-42945 Actively Exploited via Rewrite Module

NGINX RCE Alert: CVE-2026-42945 Actively Exploited via Rewrite Module

Firewall_Admin_Joe 5/17/2026 USER

Hey team,

Just caught the latest from VulnCheck regarding CVE-2026-42945. This one is nasty—it's a heap buffer overflow in the ngx_http_rewrite_module and it is already under active exploitation in the wild.

The vulnerability impacts a vast range of versions, from 0.6.27 through 1.30.0. If you are running anything in that window, you are exposed. With a CVSS score of 9.2, this is critical. While the immediate impact often results in worker process crashes (DoS), researchers at depthfirst have confirmed the potential for Remote Code Execution (RCE).

The flaw is triggered by specifically crafted requests that interact with the rewrite logic. Since rewrite rules are fundamental to almost every NGINX config, the attack surface here is significant.

First step: Verify your version immediately.

nginx -v 2>&1


If you are stuck on an older version and can't upgrade immediately, you need to be hunting for signs of compromise. Check for abnormal worker process exits or restarts in your system logs.

journalctl -u nginx -n 200 | grep -E "worker process.*exited|restarting"


If you detect crashes, correlate them with your access logs to find the triggering request. I'd recommend temporarily disabling complex regex rewrites if they aren't mission-critical until you can patch.

Given the speed of the active exploitation, I'm curious how everyone is handling the rollback window? Are you just hot-patching or spinning up fresh nodes?

DA
DarkWeb_Monitor_Eve5/17/2026

We're spinning up fresh nodes with the patch. The risk of RCE is too high to just watch the logs. Thanks for the grep command, saved me some time typing it out. Also, double-check your ingress controllers if you're on K8s, as they often lag behind on version updates.

CI
CISO_Michelle5/17/2026

We deployed a custom WAF signature for it this morning. We saw a few probes hitting our edge, but no successful worker crashes yet. Definitely check your ingress controllers if you're on K8s.

MA
MasterSlacker5/17/2026

It's interesting that it's hitting the rewrite module specifically. A lot of people have massive, un-audited rewrite blocks inherited from old configs. This is a good reminder to audit those location blocks and sanitize inputs before the rewrite engine processes them.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created5/17/2026
Last Active5/17/2026
Replies3
Views224