A single rewrite rule, the kind pasted into NGINX configurations thousands of times a day, can hand an unauthenticated attacker full remote code execution on the underlying server. The vulnerability, tracked as CVE-2026-42945, is a heap buffer overflow inside NGINX’s ngx_http_rewrite_module. It has been hiding in the codebase for roughly 18 years, meaning every major NGINX release shipped during that span carried the flaw. The National Vulnerability Database published the formal record in May 2026.
Inside the bug
The overflow fires when three ingredients appear together in a server’s configuration: a rewrite, set, or if directive that uses unnamed PCRE capture groups ($1, $2, etc.), paired with a replacement string containing a literal question mark. That combination is not exotic. It shows up in URL-rewriting tutorials, query-parameter stripping rules, and backend routing patterns across the web.
When a crafted HTTP request reaches a matching rule, the rewrite module miscalculates the buffer size needed to assemble the rewritten URI. Data spills past the boundary of a heap allocation. Heap overflows of this type are among the most exploitable memory corruption bugs in C-based software: an attacker who controls the overflow content can overwrite adjacent heap metadata or function pointers, pivoting from a crash to arbitrary code execution. The CVE record confirms that remote code execution is the expected impact, and it notes that no authentication, session token, or prior access is required to trigger the flaw. No CVSS score has been assigned in the NVD entry as of June 2026.
Why 18 years matters
The ngx_http_rewrite_module has shipped with NGINX since its earliest public releases. According to the NVD entry, the vulnerable buffer-handling logic has been present for approximately 18 years, predating F5’s acquisition of NGINX in 2019 by more than a decade. Every fork, embedded build, appliance firmware image, and container base layer derived from those releases inherited the bug.
NGINX serves a dominant share of global web traffic. W3Techs consistently ranks it as the most widely used web server, powering roughly a third of all websites whose server software can be identified. Beyond traditional web hosting, NGINX is embedded in Kubernetes ingress controllers, commercial API gateways, IoT device firmware, and the internal plumbing of major cloud platforms. The headline figure of “billions of devices” reflects that sprawling footprint, though no single source has published a verified global count of installations running a vulnerable rewrite configuration.
What is still missing
As of early June 2026, several gaps remain in the public record:
- Affected version list. The NVD entry does not yet enumerate specific NGINX versions or distribution packages. Administrators cannot rely on a simple version check and must instead audit their rewrite rules directly.
- Vendor patch or advisory. Neither the open-source NGINX project nor F5 has published a patched release, commit reference, or remediation guide. Downstream Linux distributions that package NGINX are waiting on upstream coordination.
- Discoverer identity. No researcher or team has been publicly credited with the find, and no proof-of-concept code has surfaced in monitored disclosure channels.
- Wild exploitation. There are no confirmed reports of active exploitation. The low complexity of the trigger pattern makes weaponization plausible, but no incident data or threat-intelligence alerts have appeared in public feeds.
- NGINX Plus and managed services. Whether F5’s commercial NGINX Plus product or cloud-managed ingress services (such as AWS ALB, Google Cloud Load Balancing, or Azure Application Gateway that may proxy to NGINX internally) are affected has not been addressed by any vendor statement.
What defenders should do now
Without an official patch, the priority is reducing exposure at the configuration level.
Audit rewrite rules. Search every nginx.conf and included file for rewrite, set, or if directives that reference unnamed captures ($1, $2) and contain a ? in the replacement string. Any match is a potential trigger point.
Switch to named captures. Replacing $1 references with named PCRE groups (e.g., (?P<segment>...) referenced as $segment) sidesteps the vulnerable code path based on the trigger conditions described in the CVE record.
Remove unnecessary question marks. If a literal ? in the replacement string is not functionally required, stripping it eliminates the second ingredient the overflow needs.
Layer compensating controls. Web application firewalls can be tuned to flag or block requests with abnormally long or malformed path segments and query strings. Reverse proxies or API gateways sitting in front of NGINX can normalize inbound URLs before they reach the rewrite module, shrinking the input space available to an attacker.
Monitor vendor channels. Watch the NGINX security advisories page, F5’s support portal, and your Linux distribution’s security tracker for patch announcements. When a fix lands, prioritize it as critical.
What this reveals about configuration-dependent vulnerabilities
NGINX’s codebase has been reviewed by thousands of developers and security researchers over nearly two decades. That a heap overflow survived that scrutiny for 18 years points to a blind spot in how the industry audits configuration-dependent bugs. The flaw does not fire on every request or in every deployment. It requires a specific combination of directives and syntax, the kind of combination that static analysis tools and fuzzing harnesses may never generate unless they are fed realistic configuration files alongside crafted HTTP input.
Cloud infrastructure deepens the challenge. When NGINX is embedded inside a managed ingress controller or a platform-as-a-service load balancer, the end user may never see the rewrite rules that govern traffic routing. Responsibility for patching or reconfiguring splits between the cloud provider, the software vendor, and the customer, and none of them may realize the vulnerable pattern is present without a deliberate audit.
CVE-2026-42945 is a sharp reminder that configuration languages are part of the attack surface, not just a convenience layer on top of it. As infrastructure-as-code practices spread, treating every directive combination as a potential security input, not just a deployment detail, will be the difference between catching the next 18-year-old bug early and discovering it after it has already been exploited.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
