18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
Summary
A critical heap buffer overflow vulnerability (CVE-2026-42945) has been discovered in NGINX's rewrite module, remaining undetected for 18 years. This flaw allows unauthenticated remote code execution or denial of service.
IFF Assessment
This vulnerability allows attackers to execute arbitrary code on affected NGINX servers without authentication, posing a significant threat to infrastructure.
Severity
The vulnerability has a high CVSS v4 score of 9.2, indicating a critical severity. It allows for unauthenticated remote code execution, a severe impact on confidentiality, integrity, and availability.
Defender Context
Defenders should prioritize patching or mitigating systems that use the NGINX rewrite module, as this 18-year-old flaw presents a critical remote code execution risk. Organizations must implement robust vulnerability scanning and patch management processes to prevent exploitation of long-standing, undisclosed vulnerabilities.