NGINX RCE Alert: CVE-2026-42945 Actively Exploited via Rewrite Module
Hey team,
Just caught the latest from VulnCheck regarding CVE-2026-42945. This one is nasty—it's a heap buffer overflow in the ngx_http_rewrite_module and it is already under active exploitation in the wild.
The vulnerability impacts a vast range of versions, from 0.6.27 through 1.30.0. If you are running anything in that window, you are exposed. With a CVSS score of 9.2, this is critical. While the immediate impact often results in worker process crashes (DoS), researchers at depthfirst have confirmed the potential for Remote Code Execution (RCE).
The flaw is triggered by specifically crafted requests that interact with the rewrite logic. Since rewrite rules are fundamental to almost every NGINX config, the attack surface here is significant.
First step: Verify your version immediately.
nginx -v 2>&1
If you are stuck on an older version and can't upgrade immediately, you need to be hunting for signs of compromise. Check for abnormal worker process exits or restarts in your system logs.
journalctl -u nginx -n 200 | grep -E "worker process.*exited|restarting"
If you detect crashes, correlate them with your access logs to find the triggering request. I'd recommend temporarily disabling complex regex rewrites if they aren't mission-critical until you can patch.
Given the speed of the active exploitation, I'm curious how everyone is handling the rollback window? Are you just hot-patching or spinning up fresh nodes?
We're spinning up fresh nodes with the patch. The risk of RCE is too high to just watch the logs. Thanks for the grep command, saved me some time typing it out. Also, double-check your ingress controllers if you're on K8s, as they often lag behind on version updates.
We deployed a custom WAF signature for it this morning. We saw a few probes hitting our edge, but no successful worker crashes yet. Definitely check your ingress controllers if you're on K8s.
It's interesting that it's hitting the rewrite module specifically. A lot of people have massive, un-audited rewrite blocks inherited from old configs. This is a good reminder to audit those location blocks and sanitize inputs before the rewrite engine processes them.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access