On May 13, 2026, F5 and security research platform depthfirst jointly disclosed CVE-2026-42945, a critical heap-based buffer overflow (CWE-122) in NGINX's ngx_http_rewrite_module. The flaw received a CVSS v4 score of 9.2 and affects every version of the web server from 0.6.27 through 1.30.0 inclusive, as well as NGINX Plus. The vulnerability was introduced in 2008, meaning it quietly shipped in production deployments for roughly 18 years before anyone caught it.
When a rewrite replacement contains a question mark, ngx_http_script_start_args_code sets e->is_args = 1 on the main script engine and never clears it — a subtle state-management error that downstream logic turns into an exploitable memory corruption condition. The result is that a single crafted HTTP request is enough to trigger the bug.
Successful exploitation can permit an unauthenticated attacker to crash worker processes or execute remote code with crafted HTTP requests. Those two outcomes carry very different risk profiles, and the gap between them matters.
On the DoS side, the vulnerability can be reliably exploited to trigger a denial-of-service condition with no preconditions beyond network access to a vulnerable NGINX instance. For high-traffic sites, repeated worker crashes translate directly into outages.
RCE is a more conditional story. Code execution is possible only on devices where Address Space Layout Randomization (ASLR) is turned off. Reaching RCE also requires a specific NGINX configuration, and an attacker must know or discover that configuration to exploit it. AlmaLinux maintainers noted that turning the heap overflow into reliable code execution "is not trivial in the default configuration," and on systems with ASLR enabled — the default on every supported AlmaLinux release — a generic, reliable exploit is not expected to be easy to produce. They were careful to add, however, that "not easy" is not "impossible," and the worker-crash DoS is exploitable enough on its own to warrant treating the issue as urgent.
VulnCheck security researcher Patrick Garrity revealed on Saturday, May 17, that attackers are already exploiting CVE-2026-42945. Exploitation attempts were detected against VulnCheck's honeypot networks. The nature of the attack activity and the end goals are presently unknown. The speed of weaponization — less than a week from public disclosure to confirmed in-the-wild exploitation — reflects a broader trend of attackers compressing the window between patch release and active attacks.
| Product | Vulnerable Versions | Fixed Version |
|---|---|---|
| NGINX Open Source (stable) | 0.6.27 – 1.30.0 | 1.30.1+ |
| NGINX Open Source (mainline) | 0.6.27 – 1.30.0 | 1.31.0+ |
| NGINX Plus | Affected (all supported releases on vulnerable core) | Apply F5 advisory update |
| Ingress NGINX (Kubernetes) | Affected where rewrite rules are in use | Apply vendor update |
Users are advised to apply the latest fixes from F5 to secure their networks against active threats. If patching cannot happen immediately, reviewing rewrite directive configurations and ensuring ASLR is enabled system-wide are meaningful mitigations — though neither substitutes for patching.
The NGINX news arrived alongside a second active-exploitation disclosure. VulnCheck also revealed exploitation efforts targeting two critical flaws in openDCIM, an open-source application used for data center infrastructure management.
REMOTE_USER is set without authentication enforcement, the endpoint may be reachable without credentials, enabling unauthorized modification of application configuration.report_network_map.php component. It processes a parameter called dot without sanitization and passes it directly to a shell command, resulting in arbitrary code execution.Both CVEs were discovered alongside a third flaw, CVE-2026-28516, an SQL injection vulnerability also rated CVSS 9.3, by VulnCheck researcher Valentin Lobstein in February 2026. The three flaws can be chained to achieve remote code execution over five HTTP requests and spawn a reverse shell.
The attacker profile here is notable. VulnCheck vice president of security research Caitlin Condon stated that the cluster of attacker activity observed so far originates from a single Chinese IP and uses what appears to be a customized implementation of the AI vulnerability discovery tool Vulnhuntr to automatically check for vulnerable installations before dropping a PHP web shell. AI-assisted vulnerability scanning at the exploitation stage is an emerging operational detail worth watching.
cat /proc/sys/kernel/randomize_va_space should return 2. This is the default on modern distros but worth confirming, especially on older or minimal container images.rewrite directives — particularly those whose replacements include a ? — as an interim measure..php files.