POC code targeting a newly patched critical NGINX vulnerability has been published, with technical details and exploitation notes circulating online. The issue, tracked as CVE-2026-42945 and rated at CVSS 9.2, was patched this week in F5’s quarterly patch release and affects NGINX Plus and open source builds.
It is described as a heap buffer overflow in the ngx_http_rewrite_module that could be exploited to trigger a restart and cause a denial-of-service condition, with remote code execution possible if ASLR is disabled, according to Depthfirst. The flaw stems from the two-pass script engine process used by rewrite and set directives, where an undersized buffer allocation can be triggered by a rewrite replacement containing a question mark.
F5 patched the vulnerability in NGINX Plus versions 37.0.0, R36 P4, and R32 P6, and in NGINX open source versions 1.31.0 and 1.30.1, as reported on 16 May 2026. Written by Ionut Arghire, the article notes that PoC exploit code is now available.