Researchers have found a critical vulnerability in the widely used Nginx web server that can potentially lead to remote code execution under certain conditions. The flaw is a heap buffer overflow that has gone undetected in the program’s code for the past 18 years.
Tracked as CVE-2026-42945, the vulnerability is one of 4 bugs found in Nginx by researchers from security startup DepthFirst AI, using their LLM-powered platform. It adds to the increasing number of flaws that security scanners and humans have missed in high profile open-source projects over the years, but which have been discovered with the help of AI models in recent months.
Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well. The software is also commonly used as a reverse proxy, load balancer and cache for other web applications and servers.
The CVE-2026-42945 vulnerability is located in ngx_http_rewrite_module, a component that handles URL rewrites, and impacts Nginx versions from 0.6.27 to 1.30.0. The issue has been given a 9.2 CVSS severity score and was patched in versions 1.31.0 and 1.30.1.
The commercial product, Nginx Plus, owned and developed by network and application security firm F5, is also vulnerable, and received patches in versions R36 P4, R32 P6 and 37.0.0. Other F5 products based on Nginx open source and Nginx Plus are impacted, but have not yet received updates, including Nginx Instance Manager, F5 WAF for Nginx, Nginx App Protect WAF, F5 DoS for Nginx, Nginx App Protect DoS, Nginx Gateway Fabric, and Nginx Ingress Controller.
“This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?),” F5 said in its advisory. According to the company, exploitation will result in a denial of service condition in the form of a server crash and, on systems with Address Space Layout Randomization (ASLR ) disabled, arbitrary code execution.
Achieving RCE
While the proof-of-concept (PoC) exploit developed by DepthFirst and shared with F5 did not include an ASLR bypass, the researchers believe it is possible to achieve one. ASLR is a memory corruption exploit mitigation technology that’s present and enabled by default in most modern operating systems.
“Nginx uses a multi process architecture where worker processes fork from a single master process,” DepthFirst researcher Zhenpeng Lin said in a blog post. “Because of this design, the memory space is duplicated exactly for every child worker. This means the heap layout remains entirely deterministic across different workers. If our exploit fails and crashes a worker, the master process simply spawns a new one with the exact same memory layout. This allows us to safely try multiple times until we succeed without worrying about the worker crashing and changing the memory layout. Theoretically, we could leverage this design to leak ASLR by progressively overwriting pointers byte by byte.”
The researchers also believe the Nginx configurations required to exploit this vulnerability are common. For example, URL rewrite rules are often used when migrating APIs endpoints to new locations without causing disruptions to external clients that still try to query the old URL. The set directive can be used to store the original path, or parts of it, in a custom variable to maintain state, route endpoints dynamically, or to pass it to the backend application for audit and logging purposes.
“Together, these two directives are common building blocks in API gateway configurations,” Lin said.
Since the proof-of-concept exploit has been published on GitHub, users are advised to upgrade to a patched version as soon as possible, as Nginx vulnerabilities have been exploited by attackers in the past. Denial of service alone is a serious risk to web servers, even without the ASLR bypass posited by the researchers.
The other three vulnerabilities disclosed by DepthFirst and patched in the new Nginx releases can also lead to denial of service, memory leaks, or data modification. They are tracked as CVE-2026-42946 (CVSS 8.3 – high severity), CVE-2026-42934 (CVSS 6.3 – medium) and CVE-2026-40701 (CVSS 6.3 – medium).
No Responses