Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
F5 has released emergency security patches addressing six critical vulnerabilities in NGINX, the world’s most widely deployed web server platform powering approximately one-third of all websites globally. Disclosed on May 13, 2026, the most severe vulnerability is CVE-2026-42945, a critical heap-based buffer overflow in the ngx_http_rewrite_module that remained undetected in the NGINX codebase for approximately 18 years since its introduction in 2008.
CVE-2026-42945 allows an unauthenticated attacker to exploit the NGINX vulnerability by sending a single crafted HTTP request to crash NGINX worker processes, causing denial of service. On systems where Address Space Layout Randomization (ASLR) is disabled, CVE-2026-42945 exploitation can achieve remote code execution, enabling attackers to execute arbitrary commands on vulnerable NGINX servers. The CVE-2026-42945 vulnerability impacts NGINX Open Source versions 0.6.27 through 1.30.0, NGINX Plus R32 through R36, and a broad range of associated F5 products including NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF/DoS, NGINX Gateway Fabric, and NGINX Ingress Controller.
Active exploitation of CVE-2026-42945 was confirmed against security honeypot networks by May 16, 2026, just four days after public disclosure, with a functional proof-of-concept exploit demonstrating full remote code execution already circulating publicly. Since NGINX powers approximately one-third of all websites globally and any internet-exposed NGINX instance using the vulnerable rewrite configuration pattern is at risk, the CVE-2026-42945 attack surface remains vast. Organizations running affected NGINX versions are strongly urged to upgrade to patched versions 1.31.0 (mainline) or 1.30.1 (stable) without delay.
A critical set of vulnerabilities affecting NGINX, the world’s most widely deployed web server platform, was publicly disclosed by F5 on May 13, 2026. The most severe among them, CVE-2026-42945, is a heap-based buffer overflow in the ngx_http_rewrite_module that has existed undetected in the NGINX codebase for approximately 18 years since its introduction in 2008. The CVE-2026-42945 vulnerability impacts NGINX Open Source versions 0.6.27 through 1.30.0, NGINX Plus R32 through R36, and a broad range of associated F5 products including NGINX Instance Manager, App Protect WAF, Gateway Fabric, and Ingress Controller.
NGINX powers approximately one-third of all websites globally, and any internet-exposed NGINX instance using the vulnerable rewrite configuration pattern is at risk. Since the vulnerable rewrite pattern using unnamed regex captures is common in production NGINX deployments for URL manipulation and request routing, the CVE-2026-42945 attack surface remains vast across enterprise web infrastructure worldwide.
The CVE-2026-42945 vulnerability stems from a state mismatch in NGINX’s script engine during URL rewriting operations. When a rewrite directive with a question-mark-containing replacement string is followed by a set directive referencing a regex capture variable, the NGINX script engine calculates the destination buffer size using one escaping method but writes data using another incompatible escaping method. Escapable characters like plus signs and ampersands expand from one byte to three bytes during the copy pass, overflowing the allocated heap buffer.
An unauthenticated attacker can trigger CVE-2026-42945 exploitation with a single crafted HTTP request targeting NGINX servers that use the specific vulnerable rewrite configuration pattern. On all affected NGINX configurations, successful CVE-2026-42945 exploitation crashes the NGINX worker process, causing denial of service. On systems where Address Space Layout Randomization (ASLR) is disabled, the heap buffer overflow can be leveraged for remote code execution. The attacker exploits NGINX’s multi-process architecture, where forked workers share identical memory layouts, to reliably corrupt pool cleanup function pointers and execute arbitrary commands via sprayed fake structures in POST request bodies. A public proof-of-concept demonstrating full remote code execution via CVE-2026-42945 has been made publicly available.
By May 16, 2026, active exploitation of CVE-2026-42945 was confirmed against security honeypot networks, just four days after public disclosure. The nature and attribution of the CVE-2026-42945 attacks remain unknown at this time. Alongside CVE-2026-42945, five additional NGINX vulnerabilities were patched in the same F5 security release: CVE-2026-42946 (excessive memory allocation in ngx_http_scgi/uwsgi_module), CVE-2026-40701 (use-after-free in OCSP handling within ngx_http_ssl_module), CVE-2026-42934 (out-of-bounds read in ngx_http_charset_module), CVE-2026-40460 (HTTP/3 address spoofing), and CVE-2026-42926 (HTTP/2 request injection in ngx_http_proxy_v2_module).
F5 released patched NGINX versions 1.31.0 (mainline) and 1.30.1 (stable branch) on May 13, 2026 to address CVE-2026-42945 and the additional vulnerabilities. Organizations running vulnerable NGINX versions are urged to upgrade immediately, audit rewrite configurations for vulnerable patterns, enforce ASLR at the operating system level, and monitor for anomalous HTTP requests targeting rewrite patterns that could indicate CVE-2026-42945 exploitation attempts.
Apply the patched versions of NGINX without delay to remediate CVE-2026-42945 and associated vulnerabilities. For NGINX Open Source, upgrade to version 1.31.0 (mainline) or 1.30.1 (stable branch). For NGINX Plus users, apply the corresponding patched release as described in the F5 security advisory K000160932. After upgrading, verify the installed version by running the nginx -v command to confirm the fix is in place. Given that active exploitation of CVE-2026-42945 has been observed in the wild, this upgrade should be treated as an emergency priority.
If upgrading cannot be performed immediately, F5 recommends a configuration-level mitigation for CVE-2026-42945. Replace all unnamed PCRE captures ($1, $2, etc.) with named captures in affected rewrite directives. This eliminates the triggering condition for the buffer size miscalculation that leads to the heap overflow in CVE-2026-42945. This workaround should be treated as a temporary measure only, and a full upgrade to patched NGINX versions should be completed as soon as operationally feasible.
Conduct a thorough review of all NGINX configuration files across the environment to identify instances of the CVE-2026-42945 vulnerable pattern — specifically, a rewrite directive using unnamed regex captures with a question-mark-containing replacement string, followed by another rewrite, if, or set directive. Prioritize patching or reconfiguring any NGINX instances that match this pattern, particularly those exposed to the public internet.
Ensure that Address Space Layout Randomization (ASLR) is enabled at the operating system level on all servers running NGINX. ASLR is the primary mitigation that prevents the CVE-2026-42945 heap buffer overflow from being escalated to remote code execution. On Linux systems, confirm that /proc/sys/kernel/randomize_va_space is set to 2. While ASLR does not prevent the denial-of-service impact of CVE-2026-42945, it significantly raises the difficulty of achieving code execution.
Ensure NGINX worker processes are running under an unprivileged system account. Enable and enforce mandatory access controls such as AppArmor or SELinux profiles on NGINX processes to limit the damage even if CVE-2026-42945 exploitation succeeds. Disable any unused NGINX modules to minimize the attack surface. Review and restrict file permissions on configuration files containing sensitive data such as database credentials.
Initial Access: T1190 (Exploit Public-Facing Application)
Execution: T1203 (Exploitation for Client Execution)
Impact: T1499.004 (Application or System Exploitation)
Resource Development: T1588.006 (Vulnerabilities), T1588.005 (Exploits), T1588.002 (Tool)
Reconnaissance: T1595.002 (Vulnerability Scanning)
Privilege Escalation: T1068 (Exploitation for Privilege Escalation)
F5 Security Advisory K000161019 – CVE-2026-42945
F5 Security Advisory K000160932 – NGINX Security Update
DepthFirst Research – NGINX Rift: Achieving NGINX RCE via an 18-Year-Old Vulnerability
GitHub – DepthFirstDisclosures/Nginx-Rift Proof-of-Concept
Get through updates and upcoming events, and more directly in your inbox