Security Vulnerabilities in NGINX Causing DoS in RCE
NGINX rewrite module, is used to redirect or modify web requests.
The NGINX vulnerability known as CVE-2026-42945, is a programming mistake in the software where it writes or reads more data in memory than it should, causing a heap buffer overflow and is 18 year old, where in certain rewrite rules are configured in a vulnerable way.
This enables attackers to send specially crafted network requests that cause the NGINX server process to crash. Further attackers don’t need any authentication to send malformed requests to servers. The vulnerability was discovered with the help of AI models in recent months, missed by scanners and humans over the years.
The attack can be leveraged & Potential Impact
Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well.
- Crash or restart the NGINX server remotely
- Cause websites or applications to become unavailable
- Launch Denial-of-Service (DoS) attacks
In worst case if a Windows/Linux security protection called ASLR (Address Space Layout Randomization) is disabled:
- Attackers may be able to run malicious code on the server
- This could potentially lead to full server compromise
- Attackers require no authentication and can be performed remotely, while 5.7 million internet-facing NGINX servers may be exposed
- Exploitation is already happening in real-world attacks
- The vulnerable code has reportedly existed for nearly 18 years
| Vulnerability | Details |
|---|---|
| CVE ID | CVE-2026-42945 |
| Severity | High / Critical |
| Affected Product | NGINX OSS & NGINX Plus |
| Impact | DoS / Possible Remote Code Execution |
| Attack Requirement | Specially crafted web requests |
| Authentication Needed | No |
Researchers also found additional medium-severity vulnerabilities affecting:
- HTTP/3 QUIC module
- HTTP/2 proxy mode
- SSL module
- SCGI and uWSGI modules
- Charset handling module
These may cause:
- Memory exhaustion
- Data leakage
- Spoofing attacks
- Service instability
This causes a buffer overflow in the NGINX worker process, meaning the server tries to handle more data than expected in memory. As a result, the NGINX service crashes and restarts, causing a Denial-of-Service (DoS) condition.
Immediate Patching Recommendation
Upgrade to the latest patched NGINX versions immediately.
- Review and modify vulnerable rewrite rules.
- Restrict unnecessary internet exposure of NGINX servers.
- Monitor for unexpected NGINX crashes or restarts.
- Ensure ASLR and other OS-level security protections remain enabled.
The recently disclosed NGINX vulnerability (CVE-2026-42945) affecting the ngx_http_rewrite_module can allow unauthenticated attackers to remotely crash vulnerable servers and, in certain conditions, potentially execute malicious code.
How GaarudNode Helps Secure Against This Vulnerability
GaarudNode helps organizations proactively identify, prioritize, and remediate such vulnerabilities across the complete application and infrastructure lifecycle through its unified Shift-Left and Shift-Right security capabilities.
| Security Capability | How It Helps |
|---|---|
| Continuous OS & Infrastructure Vulnerability Scanning | Detects vulnerable NGINX OSS and NGINX Plus versions across servers, containers, and cloud workloads |
| Missing Patch Detection | Identifies systems missing critical NGINX security updates and tracks remediation status |
| Misconfiguration Assessment | Detects insecure rewrite rules and vulnerable NGINX configurations that may trigger the flaw |
| CSPM (Cloud Security Posture Management) | Identifies internet-exposed NGINX instances and insecure cloud deployments |
| Network Security Visibility | Detects externally exposed web services and risky attack surfaces |
| Runtime Monitoring (Shift Right) | Monitors abnormal NGINX crashes, unexpected restarts, and suspicious traffic patterns linked to exploitation attempts |
| Risk Prioritization | Correlates internet exposure, vulnerable configurations, and exploitability to prioritize remediation |
| Unified Risk Dashboard | Provides centralized visibility across applications, infrastructure, cloud, OS, and network risks |
Sources: NGINX: DoS vulnerability is being attacked | heise online