HOMEVULNERABILITIESCVE-2026-42945
HIGHCISA KEVIN THE WILD

CVE-2026-42945

CWE-122Published: May 13, 2026· Updated: May 14, 2026

8.1
CVSS v3.1
EPSS:0.17%probability of exploitation in 30 daysPercentile:37.2th

Official Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

NVD Source

Technical Analysis

CVE-2026-42945 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.1.

CISA has added CVE-2026-42945 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityHigh
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
NGINX
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-42945

NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
The Hacker News· May 17, 2026

A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the [xlite_meta score:53 src:The Hacker News xlite_fp:0633dfb0042e29ced5671b40c1188cc1aed59feef3de3576f25aea26ba6daaae]

18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
The Hacker News· May 14, 2026

Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a [xlite_meta score:50 src:The Hacker News xlite_fp:c3bd8d3d27501378582cdb07e9bb1783a44418da69c566a92a0624c42cb1b7bc]

All References (3)

Quick Facts

CVE IDCVE-2026-42945
CVSS Score8.1 / 10
SeverityHIGH
WeaknessCWE-122
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)0.17%
PublishedMay 13, 2026

Known Threat Actors

B0
financial
core
financial

Related CVEs (CWE-122)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-42945 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.