NGINX Rift: Critical 18-Year-Old Flaw CVE-2026-42945 Actively Exploited to Crash Servers

The renowned open-source reverse proxy server, NGINX, has disclosed a critical security vulnerability designated as CVE-2026-42945, garnering a critical severity rating of 9.2. This architectural defect was introduced in 2008 with the deployment of NGINX version 0.6.27, remaining dormant within the codebase for eighteen years before its eventual unearthing by security researchers.

To neutralize this threat, F5 has distributed remediated binaries in NGINX versions 1.30.1 and 1.31.0. Given that NGINX commands approximately 30% of the global market share, its massive footprint has catalyzed opportunistic adversaries into aggressively weaponizing the flaw post-disclosure; threat intelligence firms have already intercepted active exploitation campaigns in the wild.

A contemporary briefing from VulnCheck, a security platform specializing in vulnerability monitoring and honeypot forensics, confirms that a multitude of threat actors are actively probing for this deficit. The platform’s intentionally deployed honeypot telemetry recorded successful exploitation vectors targeting CVE-2026-42945. However, due to the nascent nature of the dataset, analysts have yet to definitively ascertain the broader operational nature or ultimate objectives of these adversarial campaigns.

Observational metrics indicate that a minimum of 5.7 million unpatched NGINX instances remain exposed to the public internet globally, with a significant concentration of vulnerable nodes situated within China and the United States. Each of these exposed assets represents a viable target for interlopers, introducing severe risks of server hijacking and sensitive telemetry exfiltration.

Although the exploitation mechanism merely mandates that an adversary dispatch a meticulously engineered HTTP request to the target server, successful invocation is predicated upon specific preconditions. The flaw depends upon unique NGINX configuration profiles, which an attacker must first enumerate or deduce. Furthermore, to successfully orchestrate a Remote Code Execution (RCE) sequence, the target host must have ASLR (Address Space Layout Randomization) explicitly deactivated.

ASLR functions as a foundational memory-protection mitigation engineered to thwart memory-corruption exploits. On host systems where ASLR is active, full exploitation is effectively neutralized. Linux distributions such as AlmaLinux mandate ASLR by default to elevate their native security posture, ensuring that even if an exposed NGINX instance is probed, the underlying system resists absolute compromise.

Nevertheless, structural friction in achieving execution mastery does not equate to immunity. A Denial of Service (DoS) attack that induces a fatal worker process crash—thereby crippling NGINX’s capacity to service legitimate traffic without achieving code execution—remains elementary to execute. Consequently, maintainers of the AlmaLinux project strongly implore administrators to treat the NGINX upgrade pipeline as an matter of maximum urgency.