The 18-Year-Old Bug: Critical NGINX Heap Overflow CVE-2026-42945 Threatens 30% of the Web

NGINX, an F5 subsidiary and a cornerstone of global internet infrastructure, serves as one of the world’s most ubiquitous reverse proxy servers. A security research firm has recently disclosed a critical vulnerability, designated CVE-2026-42945, revealing an eighteen-year-old heap buffer overflow lurking within the NGINX scripting engine.

An adversary need only transmit a meticulously crafted HTTP request to an exposed NGINX server to achieve remote compromise. Given that NGINX commands nearly 30% of the global market for web servers and reverse proxies, the potential repercussions for internet services are staggering. The defect was originally introduced in NGINX version 0.6.27, released in 2008, and has remained undetected until now. It afflicts versions ranging from 0.6.27 to 1.30.0, including various commercial derivatives provided by F5, such as NGINX WAF, F5 WAF, NGINX Gateway Fabric, and the NGINX Ingress Controller.

The conditions required to trigger the exploit are remarkably subtle, activating only when two specific directives coexist within the NGINX configuration:

• rewrite ^/api/(.*)$ /internal?migrated=true; (A rewrite rule concluding with a “?”)
• set $original_endpoint $1; (The utilization of a regex capture group)

The research team identified the root cause within the scripting engine of the ngx_http_rewrite_module (ngx_http_script.c). When a rewrite directive includes a question mark, a persistent is_args flag is set. However, during the subsequent length calculation for the set directive, the engine employs a newly initialized sub-engine, causing it to bypass URL escaping logic during the estimation phase.

During the actual memory copy phase, the system reverts to the primary engine, invoking the ngx_escape_uri function to escape characters such as “+” and “&”. Because the buffer is allocated based on the unescaped length but populated with the expanded, escaped content, a controllable heap buffer overflow ensues. Upon receiving the vulnerability report, F5 moved swiftly to validate the flaw. With the remediation now prepared and the details publicized, all users of NGINX and its derivatives are urged to transition to the latest secure iterations. Specifically, the open-source version must be updated to 1.30.1 or 1.31.0 to mitigate this longstanding threat.