Summary

A critical security vulnerability has been found in the NGINX Plus and NGINX Open, specifically within the ngx_http_rewrite_module, which has existed undetected for 18 years. This flaw, identified as CVE-2026-42945, allows for potential remote code execution (RCE) by attackers.

Key Points

• The vulnerability is a heap buffer overflow in the ngx_http_rewrite_module.
• It is identified as CVE-2026-42945 with a CVSS v4 score of 9.2.
• The flaw affects both NGINX Plus and NGINX Open versions.
• Discovered by cybersecurity researchers at depthfirst.
• The vulnerability has been present for 18 years without detection.

Analysis

The discovery of this critical vulnerability in NGINX's rewrite module is significant due to its potential to allow unauthenticated remote code execution, which can lead to severe security breaches. Given the widespread use of NGINX in web servers globally, this flaw poses a substantial risk to numerous systems, necessitating immediate attention and remediation from IT professionals.

Conclusion

IT professionals should prioritize patching systems running NGINX to mitigate the risk posed by CVE-2026-42945. Regularly updating and auditing software for vulnerabilities is crucial to maintaining security and preventing exploitation.