Security researchers disclosed CVE-2026-42945 on May 13, a heap buffer overflow in NGINX's HTTP rewrite module with a CVSS v4 score of 9.2. The flaw affects NGINX versions 0.6.27 through 1.30.0 and has been present in the codebase for approximately 18 years. Patched packages began rolling out to Linux distribution repositories on May 14. The bug allows an unauthenticated attacker to crash a worker process via a single crafted HTTP request, and to achieve remote code execution on hosts with ASLR disabled.
Three operational facts to bound the panic.
First, the prerequisite. Exploitation requires the affected server to use a rewrite directive with an unnamed PCRE capture group ($1, $2) plus a replacement string containing a question mark, followed by another rewrite, if, or set directive. Many production NGINX deployments do not use rewrite rules of that specific shape. Auditing your configurations against the pattern is the first step.
Second, ASLR is the difference between DoS and RCE. On hosts with ASLR enabled (the default on modern Linux), exploitation crashes the worker process but does not reliably achieve code execution. On hosts with ASLR disabled (older systems, hardened embedded deployments, certain container builds), code execution is plausible.
Third, patch availability. AlmaLinux production repositories had patched packages by May 14 evening. RHEL, Ubuntu, Debian, and the official NGINX repos have releases in flight. Cloud-managed NGINX (NGINX Plus, AWS ALB, GCP Cloud Load Balancing) has been patched at the vendor level for most customers without operator action required.
The 18-year provenance of the bug is the structural concern. The codepath has been in production since 2008 and has survived years of fuzzing, static analysis, and incidental review. That tells you something about the limits of those techniques on edge-case interactions between configuration directives. It does not tell you NGINX is unsafe; the same observation applies to every long-lived open-source project.
For NGINX operators: audit your rewrite directives for the trigger pattern this week, then patch on your normal cadence. The headline severity is real but the exploitation prerequisites narrow the affected population considerably. For anyone running web-facing services on legacy hardened systems with ASLR disabled, treat this as urgent.