Summary

NGINX disclosed a critical 18-year-old heap buffer overflow vulnerability (CVE-2026-42945) in its rewrite module that allows unauthenticated remote code execution or denial-of-service via crafted HTTP requests.

Take Action:

Check your platform and tooling for running NGINX. If you are running NGINX and related F5 deployments, patch ASAP. Alternatively change your rewrite rules to use named captures instead of unnamed ones.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines