F5 fixes critical NGINX vulnerability exploited in the wild after 18 years unnoticed

F5 fixes critical NGINX vulnerability exploited in the wild after 18 years unnoticed

F5 has published an urgent fix for a critical vulnerability in NGINX, a web server and reverse proxy that forms a significant part of public and internal corporate infrastructure. Classified as CVE-2026-42945 and with a CVSS score of 9.2, the flaw is a buffer overflow in the ngx_http_rewrite_module, present in the code since 2008 and affecting all versions from 0.6.27 to 1.30.0, including both the open source line and the commercial version NGINX Plus.

The discovery was attributed to depthfirst, a security company that employs AI models for source code auditing. Public disclosure occurred on May 17, and within a matter of days, VulnCheck registered exploitation attempts against honeypots in its telemetry network.

RCE is difficult; process crash is easy

The potential for remote code execution exists, but it is not trivial. Researcher Kevin Beaumont summarised the scenario: "to reach RCE, ASLR also needs to be disabled on the machine". Maintainers of AlmaLinux echoed this: "turning the heap overflow into reliable code execution is not trivial in the default configuration". The immediate risk, therefore, is denial of service from recurrent crashes of the worker processes, with opportunistic windows for code execution wherever memory randomisation is absent.

The combination of a vast surface area, observed exploitation, and an available patch makes this a typical high-priority scenario for security teams. Those managing heterogeneous NGINX environments, whether directly or embedded in Linux distributions or containers, have a short window to inventory versions and apply F5’s update.