A critical memory failure in NGINX, identified as CVE-2026-42945 again shows that even massively deployed software projects can drag historical defects with current impact. Vulnerability is a buffer overflow in the ngx _ http _ rewrite _ module module that has remained in the code for almost 18 years and, according to the CVSS classification, received a high score (9.2) for its potential to cause denial of service and, under specific conditions, remote code execution.
The research that revealed this failure was published by DepthFirst AI, which during an automated code analysis session also found three additional memory corruption problems. The central vector of CVE-2026-42945 is an inconsistency in the internal engine of NGINX scripts: a first pass calculates the necessary memory using free URI lengths, and a second pass writes the escaped version (longer), causing a heap buffer overflow when 'rewrite' and 'set' directives coexist in typical API gateways and reverse proxies configurations.
DepthFirst demonstrated an operating scenario that, in environments with ASLR disabled, allows to corrupt NGINX pool memory structures, overwrite cleaning handlers' points and force system () execution during the cleaning process - that is, a way to remote command execution. However, the community has nuanced this finding: researchers such as Kevin Beaumont and distribution teams such as AlmaLinux have pointed out that turning this overflow into a reliable explosion against systems with modern enabled protections is not trivial. Yet everyone agrees that the denial of service component is easy to reproduce and must be treated as an urgent one.
The magnitude of the risk is not less if we consider that NGINX power approximately one third of the main sites and is widely used in cloud suppliers, SaaS platforms, banks, e-commerce and Kubernetes clusters. The NGINX multi-process architecture also facilitates exploitation: the worker processes inherit almost identical memory designs from the master process, which allows repeated attempts to handle the heap even when a worker is blocked and replaced.
F5, responsible for the maintenance of the project, published a notice with the affected versions and patches. The corrections are available in NGINX Open Source 1.31.0 and 1.30.1, as well as in specific patches for NGINX Plus and other ecosystem distributions. For official details see the F5 notice and the NVD description: F5 Security Advisory and NVD · CVE-2026-42945. DepthFirst's technical report with the research will be published as a detailed reference on its page: DepthFirst · NGINX Rift.
In addition to CVE-2026-42945, the scans detected other failures in the same period: an excessive allocation of memory in SCSI / UWSGI modules that can cause workers occupying ~ 1 TB (CVE-2026-42946), an after-free Use- in asynchronous OCSP resolution (CVE-2026-40701) and an off-by-one error in UTF-8 (CVE-2026-42934). Although the latter received average or high ratings, together they reinforce the idea that it is necessary to audit in full production deployments.
If you manage environments using NGINX, the priority actions I recommend are clear: updates to the parcheed versions as soon as possible after the pre-production tests; if you cannot park immediately, apply temporary mitigation proposed by the supplier, such as replacing unnamed PCRE capture groups ($1, $2, etc.) in 'rewrite' rules for named catches, which eliminates the main operating condition indicated. Review the rewrite and set rules, limit the exposed surface of endpoints that accept complex consultation chains and tighten the size and time limit policies for HTTP requests reduces the likelihood of exploitation.
It also checks that the system's protections are active: ASLR must remain enabled and VM containers or images must not deactivate mitigation for production performance reasons. It strengthens process isolation, runs NGINX with minimum privileges, keeps records and alerts focused on workers' failures and frequent reinitiations, and applies detection of HTTP traffic anomalies that you can try to exploit. For Kubernetes environments, quickly update the Ingress drivers and the base images used in the pods.
Finally, it considers that the available evidence shows a dual threat: a replicable DoS vector and an CERs vector that requires specific conditions. Do not underestimate the operational impact of repeated workers' blockages or the possibility that a specialized attacker can adapt techniques to address mitigation in certain environments. Plan the parking in controlled windows, submit the changes to load and safety tests, and maintain communication with your suppliers and incident response equipment to accelerate containment if you detect suspicious activity related to these vulnerabilities.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...