18-Year-Old NGINX Rewrite Module Bug Enables Unauthenticated RCE

A heap buffer overflow in NGINX’s ngx_http_rewrite_module (CVE-2026-42945, CVSS v4: 9.2) has been publicly disclosed after going undetected for 18 years. The flaw affects both NGINX Plus and NGINX Open Source and allows unauthenticated remote attackers to achieve arbitrary code execution or crash the server.

Researcher depthfirst discovered the vulnerability; it stems from improper memory handling in the rewrite directive processing pipeline. Any internet-facing NGINX deployment using rewrite rules is potentially exposed.

Patch to the latest NGINX release immediately. If patching is delayed, audit rewrite rule usage and consider restricting the rewrite module where it is not required. No active exploitation has been confirmed at time of disclosure, but the CVSS score and ubiquity of NGINX make this a high-priority patch.