A newly disclosed flaw, CVE-2026-42945, in NGINX Plus and NGINX Open has been actively exploited in the wild, according to VulnCheck. The vulnerability is a heap buffer overflow in ngx_http_rewrite_module that affects NGINX versions 0.6.27 through 1.30.0 and was introduced in 2008, per depthfirst.
Successful exploitation can allow an unauthenticated attacker to crash worker processes or achieve remote code execution with crafted HTTP requests, though code execution is contingent on ASLR being disabled on the target. Security researchers noted that reaching RCE also requires knowledge or discovery of a vulnerable NGINX configuration, and that ASLR must be turned off on the box.
AlmaLinux maintainers added that turning the heap overflow into reliable code execution is not trivial in default configurations and with ASLR enabled, but not impossible, urging urgent action. VulnCheck’s latest findings indicate threat actors are weaponising the flaw with honeypot networks showing exploitation attempts, and The guidance is to apply the latest fixes from F5 to mitigate active threats.