Hackers are wasting no time exploiting a newly disclosed critical vulnerability in NGINX, one of the world’s most widely deployed web servers and reverse proxies. Security researchers have confirmed that real-world attacks targeting CVE-2026-42945 — a heap buffer overflow flaw — began just days after its public disclosure, once again underscoring how rapidly threat actors weaponize newly published vulnerabilities.
What Is CVE-2026-42945?
CVE-2026-42945 is a heap buffer overflow vulnerability affecting both NGINX Open Source and NGINX Plus. The flaw can be triggered by an unauthenticated attacker who sends specially crafted HTTP requests to a vulnerable server, causing NGINX worker processes to crash. This alone produces denial-of-service (DoS) conditions that disrupt critical services relying on NGINX for load balancing, reverse proxying, or web serving.
The situation becomes significantly more dangerous under specific configurations. In environments where Address Space Layout Randomization (ASLR) is disabled, exploitation may escalate beyond a simple crash to remote code execution (RCE), allowing attackers to run arbitrary commands on the affected server. Researchers from VulnCheck’s Initial Access team note that while ASLR is enabled by default on most modern systems, edge cases persist — particularly in legacy deployments or specialized embedded environments. An additional prerequisite for full RCE exploitation is the presence of specific NGINX rewrite configuration directives, which means not every NGINX installation is vulnerable to the worst-case scenario.
Massive Exposure Surface
According to VulnCheck researcher Patrick Garrity, data from the internet scanning platform Censys indicates approximately 5.7 million internet-facing NGINX servers could be running vulnerable versions. Even if only a fraction of these systems meet the exact configuration requirements for RCE, the sheer volume of potentially affected deployments demands urgent attention from security and operations teams worldwide.
NGINX is deeply embedded in modern infrastructure — it serves as the front-end web server or reverse proxy for countless enterprise applications, cloud-native workloads, and API gateways. A successful compromise of a perimeter-facing NGINX instance can provide attackers with an initial foothold from which to pivot deeper into backend networks and sensitive data stores.
Active Exploitation Already Confirmed
This vulnerability has rapidly moved from disclosure to active in-the-wild exploitation. The window between public vulnerability disclosure and the emergence of active attack campaigns has shrunk dramatically in recent years — in some cases collapsing from weeks to just hours. Early exploitation activity linked to CVE-2026-42945 is consistent with opportunistic threat actors conducting automated scanning for misconfigured or unpatched servers, seeking initial access for follow-on ransomware deployments, data exfiltration, or persistent backdoor installations.
The risk is amplified by the fact that NGINX is a highly popular component in DevOps pipelines, content delivery networks, and microservices architectures. Attackers targeting NGINX are often after more than the web server itself — they are after the internal services and sensitive systems that NGINX sits in front of.
Recommended Mitigations
Security teams should immediately take the following steps to reduce exposure:
- Apply all available patches and security updates for NGINX Open Source and NGINX Plus as soon as they are released by F5/NGINX
- Verify that ASLR is enabled on all systems running NGINX — on Linux, check that
/proc/sys/kernel/randomize_va_spacereturns2 - Audit NGINX rewrite configuration rules and remove unnecessary or overly broad directives that could expand the attack surface
- Deploy web application firewall (WAF) rules to detect and block anomalous or malformed HTTP requests targeting this flaw
- Monitor NGINX access and error logs for unusual traffic patterns, elevated crash rates, or signs of active scanning
- Restrict internet exposure of NGINX instances where possible and apply network-level controls to limit access to trusted IP ranges
- Subscribe to NGINX security advisories and the National Vulnerability Database (NVD) for CVE-2026-42945 patch updates
The Shrinking Patch Window
CVE-2026-42945 is a stark reminder that proactive vulnerability management is no longer optional for organizations of any size. Security teams must treat high-severity vulnerabilities affecting widely deployed infrastructure components — especially those with confirmed in-the-wild exploitation — as emergency remediation priorities rather than routine maintenance tasks. With threat actors increasingly automating vulnerability scanning and exploitation at scale, the gap between disclosure and weaponization will only continue to shrink. Organizations that delay patching, even by a few days, are already exposed.