External risk intelligence

Attacker can crash NGINX or run code by sending crafted requests

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-42945

A critical flaw in NGINX could let anyone crash your web server or even run their own code by sending a bad request. This impacts widely used NGINX servers and needs your immediate attention.

5Halo Surface Signal

Buffer Overflow

External exposure likelihood

Halo Surface Signal score for CVE-2026-42945

NGINX is a foundational web server and reverse proxy designed for public-facing deployments. It is routinely used as an internet edge gateway and load balancer to handle incoming HTTP traffic, making it inherently public-facing by design in most standard infrastructure architectures.

PCI scan relevance

PCI Relevance for CVE-2026-42945

Yes

CVE-2026-42945 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical NGINX vulnerability allows for remote code execution or denial-of-service, which would cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in NGINX's rewrite module that could allow an unauthenticated attacker to cause a denial of service and potentially execute code. This issue arises from a specific condition involving rewrite directives and regular expressions.

  • Affects widely used NGINX servers.
  • Could lead to service restarts or code execution.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this vulnerability by sending specifically crafted HTTP requests to an NGINX instance. The crafted request targets a logic flaw in how the `rewrite` directive handles specific patterns with question marks, leading to a heap buffer overflow in the worker process. This could result in a denial of service or, under certain conditions like ASLR being disabled, arbitrary code execution.

  • Targets public-facing NGINX servers.
  • Requires crafted HTTP requests.
  • Code execution needs ASLR disabled.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in NGINX's rewrite module could be attractive to attackers if they can reliably bypass ASLR, as it could lead to code execution. While the conditions required for exploitation are specific, the potential impact of a heap buffer overflow and possible code execution on a widely used web server like NGINX makes it a notable target. There is currently no clear evidence of active weaponization or public exploit availability, so the immediate threat urgency is uncertain.

  • No observed KEV listing.
  • No public exploit code identified.
  • Exploitation requires bypassing ASLR.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize actively exploited vulnerabilities by reviewing logs for indicators of compromise related to crafted HTTP requests targeting the ngx_http_rewrite_module. If evidence of exploitation is found, immediately isolate affected NGINX instances to prevent further impact, and begin an inventory of all systems running vulnerable NGINX versions to assess exposure.

  • Block malicious IP addresses.
  • Isolate or take services offline.
  • Monitor for abnormal NGINX restarts.

Frequently asked questions

What is NGINX and NGINX Plus?

NGINX and NGINX Plus are popular web server software used to deliver website content, act as reverse proxies, and manage network traffic for websites and applications. They are foundational technologies for many internet-facing services.

What is the weakness class for CVE-2026-42945 in NGINX?

The weakness class identified for CVE-2026-42945 is CWE-122, which refers to Heap-based Buffer Overflow. This means the vulnerability involves writing more data into a memory buffer than it can hold, potentially corrupting adjacent memory and leading to crashes or code execution.

How can an attacker trigger the NGINX vulnerability?

An unauthenticated attacker can trigger this vulnerability by sending specially crafted HTTP requests. The exploit requires specific conditions related to the `rewrite` directive followed by other directives and a regular expression with a question mark in its replacement string. Sending such requests to an NGINX server under certain network conditions could initiate the exploit.

Who should care about this NGINX vulnerability?

Organizations running NGINX or NGINX Plus, especially those with internet-facing servers, should care about this vulnerability. The Halo Surface Signal indicates this is a high-priority concern for systems exposed to the internet, as it can lead to service disruption or code execution.

What is a first step for running NGINX with this vulnerability?

A crucial first step is to review system logs for any signs of abnormal NGINX restarts or unusual HTTP requests targeting the rewrite module. This helps identify if the vulnerability is being actively exploited on your systems before considering other remediation actions.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified