The Bottom Line: The NGINX security vulnerability CVE-2026-42945 is already being actively exploited and enables worker process crashes or potentially remote code execution. Particularly critical is the broad impact on all NGINX versions from 0.6 onwards.
A critical vulnerability in NGINX Plus and NGINX Open is being exploited in practice just days after its public disclosure. The flaw, with a CVSS score of 9.2, allows attackers to crash worker processes or potentially execute arbitrary code.
The security vulnerability registered as CVE-2026-42945 affects NGINX versions from 0.6 to 1.30.0 and was introduced years ago, in 2008. It is a heap buffer overflow in the ngx_http_rewrite_module. Unauthenticated attackers can crash worker processes through specially crafted HTTP requests or enable remote code execution – but only if the memory protection measure ASLR (Address Space Layout Randomization) is disabled on the target system.nnAccording to security researcher Kevin Beaumont, successful exploitation requires that attackers know or can determine the specific NGINX configuration. The AlmaLinux team emphasizes that reliable code execution under standard conditions is not straightforward. Nevertheless, the maintainers warn: “Not straightforward does not mean impossible” – even a mere denial-of-service attack through worker crashes presents an urgent problem.nnThe security firm VulnCheck has already found evidence of active exploitation of the vulnerability in its honeypot networks. The exact details of the attacks and their targets remain unclear so far.