NGINX CVE-2026-42945 Actively Exploited: Worker Crashes & RCE in the Wild

Incident Summary

NGINX CVE-2026-42945, a heap buffer overflow in ngx_http_rewrite_module, is actively exploited in production environments. The flaw (present since 2008) allows unauthenticated remote attackers to crash nginx worker processes or execute code with crafted HTTP requests.

Affected: NGINX versions 0.6.27 through 1.30.0 (both NGINX Open Source and NGINX Plus).

CVSS: 9.2 (Critical).

Status: Active exploitation detected via VulnCheck honeypots; threat actor intent unknown.

Vulnerability Details

Type: Heap buffer overflow in ngx_http_rewrite_module during named-capture group processing.

Requirements for exploitation:

1. Vulnerable NGINX version in affected range
2. Specific rewrite rule configuration (attacker must know or discover the config)
3. Crafted HTTP request triggering overflow

Impact:

• DoS: Worker process crash—reliable and trivial to trigger
• RCE: Possible only if ASLR is disabled (non-default on modern Linux)

⚠️ RCE Barrier: AlmaLinux maintainers state that on systems with ASLR enabled (default for all supported releases), reliable generic exploitation "is not easy." However, worker crash DoS is "exploitable enough on its own."

Active Exploitation Status

VulnCheck honeypot networks detected exploitation attempts post-disclosure. Current threat actor objectives are unknown but likely include:

• Service disruption (DoS)
• Foothold establishment (RCE on vulnerable configs)
• Reconnaissance (determine which NGINX versions/configs are in use)

Detection & Mitigation

Immediate Actions

1. Identify vulnerable versions:

nginx -v

If output shows version 0.6.27–1.30.0, you are affected.

1. Check if rewrite module is loaded:

nginx -T | grep -i rewrite

If module is compiled in (default), you're vulnerable if running affected version.

1. Patch immediately:

• Ubuntu/Debian: apt update && apt upgrade nginx
• CentOS/AlmaLinux/CloudLinux: yum update nginx
• NGINX Plus: Apply F5 patches; contact support for timelines
• Compiled from source: Rebuild with 1.30.1+ or apply patch series from F5

1. Verify ASLR status (defense-in-depth only; not a substitute for patching):

cat /proc/sys/kernel/randomize_va_space

Output 2 = ASLR enabled (good). Output 0 = disabled (high risk, enable immediately: echo 2 | sysctl -w kernel.randomize_va_space=2).

Detection Indicators

Monitor access logs for HTTP requests targeting rewrite rules with unusual patterns:

• Requests with very long $capture_* variable payloads
• POST bodies with binary/null-byte sequences targeting rewrite logic
• Repeated requests to same rewrite rule from single source IP

Log examples (check error.log):

• worker process N exited on signal 11 (SIGSEGV) → heap corruption
• rewrite rule mismatch or capture group overflow → payload triggered

WAF/Firewall Strategy

If patch is delayed:

• Block known exploit patterns in ModSecurity (F5 will release WAF rules)
• Temporarily disable rewrite rules if not critical
• Restrict traffic to known legitimate sources
• Implement rate limiting on rewrite-rule-targeting requests

⚠️ Not a substitute for patching: WAF rules lag exploitation; assume adversary-crafted bypasses exist.

Hardening

systemd Hardening (Post-Patch)

[Unit]
After=network.target

[Service]
Type=forking
ExecStart=/usr/sbin/nginx -g "daemon on; master_process on;"
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID

# Restrict capabilities
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

# Harden memory
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=yes
NoNewPrivileges=yes

# Limits
ProtectClock=yes
ProtectHostname=yes
ProtectKernelLogs=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

Restart=on-failure
RestartSec=5

Apply with: systemctl edit nginx → paste above, systemctl restart nginx.

Config Audit

Review rewrite rules for unnecessary complexity:

grep -n "rewrite " /etc/nginx/*.conf /etc/nginx/conf.d/*.conf

Disable rewrite module entirely if not used:

./configure --without-http_rewrite_module

(rebuild from source if compiled statically).

Secondary Issue: openDCIM Exploitation

VulnCheck also disclosed active exploitation of openDCIM (data center infrastructure management) CVEs:

CVE-2026-28515 (CVSS 9.3): Missing authorization on LDAP config endpoint. In Docker deployments with REMOTE_USER env var set without auth, endpoint is unauthenticated → unauthorized config modification.

CVE-2026-28517 (CVSS 9.3): OS command injection in report_network_map.php (dot parameter unsanitized → arbitrary shell execution).

Attack chain: Chained with CVE-2026-28516 (SQL injection) to achieve RCE and spawn reverse shell in 5 HTTP requests.

Status: Single Chinese IP observed using customized Vulnhuntr (AI vuln discovery tool) to auto-scan, then deploy PHP web shell.

⚠️ If running openDCIM: Check if exposed to Internet; apply patches immediately; audit access logs for exploitation patterns (SQL comments, dot parameter injection, LDAP modification requests).

Timeline

• 2008: Vulnerability introduced in ngx_http_rewrite_module
• May 13, 2026: CVE-2026-42945 publicly disclosed
• May 17, 2026: Active exploitation confirmed in VulnCheck honeypots
• May 17, 2026: AlmaLinux/F5 guidance released (ASLR mitigates RCE; DoS still critical)

References

• CVE-2026-42945 CVSS: 9.2 (F5 NGINX advisory)
• AlmaLinux guidance: https://almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/
• VulnCheck honeypot detection: LinkedIn post (May 17, 2026)
• Kevin Beaumont analysis: Config specificity, ASLR requirement
• openDCIM CVEs: CVE-2026-28515, CVE-2026-28517, CVE-2026-28516 (chained RCE)