What Happened
Attackers are actively exploiting CVE-2026-42945, a heap buffer overflow in NGINX's ngx_http_rewrite_module. VulnCheck detected exploitation attempts against their honeypot networks. The vulnerability affects NGINX versions 0.6.27 through 1.30.0 and can crash worker processes or, under specific conditions, enable remote code execution.
This vulnerability was introduced in 2008. The change now is that exploitation code is circulating, and attackers are scanning for vulnerable instances.
Timeline
2008: The vulnerability is introduced in NGINX version 0.6.27.
2026: CVE-2026-42945 is assigned and disclosed.
Shortly after disclosure: VulnCheck observes active exploitation attempts against honeypot infrastructure.
Current state: Exploitation is ongoing; successful attacks result in worker crashes at minimum, with remote code execution possible when ASLR is disabled.
The 18-year gap between introduction and discovery is significant. If you deployed NGINX before 2026 and haven't upgraded, you're running vulnerable code. Even if you hardened your configuration in 2015, those settings might not address this issue.
Which Controls Failed or Were Missing
Vulnerability management failed at the scanning layer. The affected module ships by default. Unless you audit rewrite rules in your configuration, you won't know if you're exposed. Many teams scan for known CVEs but don't correlate those findings with their actual NGINX configuration files.
Memory protection mechanisms were absent or misconfigured. ASLR (Address Space Layout Randomization) makes remote code execution significantly harder. When ASLR is disabled -- either through system configuration or because it was never enabled -- the attack surface expands from denial-of-service to code execution.
Configuration management lacked security context. The ngx_http_rewrite_module is widely used for URL rewriting and redirects. Teams configured rewrite rules for functionality without considering the security implications of the module's memory handling. No one audited whether rewrite complexity introduced overflow risk.
Patch cycles were too slow. Organizations running NGINX 1.27 or earlier had no compelling reason to upgrade. Many treat web servers as "set and forget" infrastructure. The gap between "vulnerable version deployed" and "patch applied" measured in years, not days.
What the Relevant Standards Require
PCI DSS v4.0.1 Requirement 6.3.1 mandates that security vulnerabilities are identified using reputable sources and that new security vulnerabilities are addressed according to risk ranking. For a remotely exploitable vulnerability in an internet-facing web server, your risk ranking should put this at the top of your patching queue.
Requirement 6.3.3 requires that security patches and updates are installed within one month of release for critical patches. If you're in scope for PCI DSS and running vulnerable NGINX versions, you're out of compliance the moment you knew about CVE-2026-42945.
ISO/IEC 27001:2022 Control 8.8 (Management of technical vulnerabilities) requires you to obtain timely information about technical vulnerabilities, evaluate exposure, and take appropriate measures. "Appropriate measures" for a heap overflow in a core module means patching, not just monitoring.
NIST 800-53 Rev 5 SI-2 (Flaw Remediation) requires you to identify, report, and correct system flaws. It also requires you to install security-relevant software updates within timeframes established by organizational policy. For critical infrastructure components like web servers, that timeframe should be measured in days.
NIST CSF v2.0 PR.IP-12 calls for a vulnerability management plan that includes prioritization. A remotely exploitable heap overflow in NGINX should trigger your highest-priority response process.
None of these standards say "enable ASLR" explicitly, but they all require defense-in-depth. Running without memory protection mechanisms when they're available is a gap in your security architecture.
Lessons and Action Items for Your Team
Inventory your NGINX deployments immediately. You need version numbers and configuration files for every instance. Don't assume your CMDB is current -- actually query the servers.
nginx -v
grep -r "rewrite" /etc/nginx/
If you're running anything between 0.6.27 and 1.30.0, you're vulnerable. If your configuration uses rewrite directives, you're exposed.
Verify ASLR is enabled on every system running NGINX. Check the kernel setting:
cat /proc/sys/kernel/randomize_va_space
You want to see 2. If you see 0, ASLR is disabled. If you see 1, it's partially enabled. Change it to 2:
echo 2 > /proc/sys/kernel/randomize_va_space
Make it permanent in /etc/sysctl.conf:
kernel.randomize_va_space = 2
Upgrade NGINX to version 1.30.1 or later. Test in staging first, but don't let testing drag on for weeks. This is a critical patch for an actively exploited vulnerability.
Audit your rewrite rules. Complex rewrite logic increases your attack surface. If you're using rewrites for URL normalization or redirects, consider whether you can simplify or move that logic to your application layer.
Update your vulnerability scanning process. Add configuration analysis to your scans. Knowing you run NGINX 1.28 isn't enough -- you need to know if ngx_http_rewrite_module is active and how it's configured.
Set a patch SLA for infrastructure components. If you don't have a policy that says "critical patches for internet-facing services within 7 days," create one now. Make it part of your compliance program, not just an operational guideline.
Review your defense-in-depth posture. ASLR is table stakes, not advanced security. Check what other memory protection mechanisms you're missing: stack canaries, DEP/NX, RELRO. These should be enabled by default on any system built in the last decade.
Document this incident in your risk register. When auditors ask about your vulnerability management process, you need evidence that you identified, assessed, and remediated this issue. Include timeline, affected systems, and remediation proof.
The fact that this vulnerability existed for 18 years before disclosure should concern you. Your current NGINX configuration might contain other long-standing issues. Treat this as a prompt to audit not just for known CVEs, but for risky configuration patterns that could become vulnerabilities later.
