NGINX CVE-2026-42945 shows how rewrite rules enable DoS and RCE

At a glance

What this is: CVE-2026-42945 is a high-severity NGINX rewrite-module vulnerability that can crash workers and, in some environments, lead to remote code execution through crafted HTTP requests.

Why it matters: For IAM and security teams, the issue shows how exposed edge components can become a control-plane risk for NHI-heavy and containerised environments, where ingress compromise or instability can disrupt authentication, routing, and service identity workflows.

By the numbers:

• CVE-2026-42945 has a CVSS score of 9.2 and affects NGINX Open Source versions 1.0.0 through 1.30.0, plus NGINX Plus R32 through R36.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read Orca Security's analysis of CVE-2026-42945 in NGINX rewrite handling

Context

CVE-2026-42945 is a denial-of-service and potential remote code execution flaw in the NGINX rewrite module, triggered by specially crafted HTTP requests. In plain terms, the bug sits in request parsing at the edge, where rewrite directives, unnamed captures, and malformed replacement strings can corrupt heap memory before application logic ever sees the request.

For identity and access teams, the governance issue is not limited to web uptime. NGINX often sits in front of APIs, ingress paths, and service-to-service traffic, so instability or code execution in this layer can affect how machine identities, tokens, and downstream services are reached and protected. The starting point here is unfortunately common: widely deployed edge software used as if it were low-risk plumbing.

The public proof-of-concept changes the operational posture. Once a working exploit is available, exposure management, patch sequencing, and runtime criticality become inseparable, especially in Kubernetes and internet-facing deployments where ingress failure can cascade into broader identity and access disruption.

Key questions

Q: What breaks when CVE-2026-42945 is not patched in NGINX ingress paths?

A: The most immediate failure is repeated worker crashes that produce denial of service, but the deeper issue is that the edge tier stops reliably mediating traffic for downstream services. In some environments, heap corruption can also become a route to remote code execution, which turns an availability problem into a potential control-plane compromise.

Q: Why do vulnerable NGINX rewrite rules matter so much in internet-facing environments?

A: They matter because NGINX is often the first enforcement point for APIs, ingress, and service traffic, so a parsing flaw there can affect a large portion of the environment at once. When the bug is unauthenticated and publicly exploitable, exposure is determined by reachability, not by whether credentials are protected elsewhere.

Q: How do security teams know whether an NGINX deployment is exposed to this issue?

A: Check for affected versions and inspect configuration for rewrite, if, and set directives that use unnamed captures. Then validate whether the instance is internet-facing, whether it fronts critical services, and whether logs show worker restarts or heap corruption errors. Exposure is a combination of version, configuration, and runtime location.

Q: Who is accountable when a public PoC turns an NGINX flaw into service outage?

A: Accountability usually sits across platform operations, application owners, and security teams because the vulnerable component is both infrastructure and an application dependency. The right framework is to assign ownership for patching, exposure tracking, and ingress criticality before the next disclosure, rather than after service disruption begins.

Technical breakdown

Rewrite directives and unnamed captures create the vulnerable parsing path

The vulnerable path is in ngx_http_rewrite_module, where rewrite directives interact with unnamed PCRE captures such as $1 or $2. When the replacement string includes a question mark, the script engine can enter a state mismatch that leads to a heap buffer overflow in the worker process. That means the flaw is not a generic NGINX crash bug, but a very specific parser and memory-handling failure triggered during request rewriting. Because the exploit is unauthenticated, the attacker only needs a reachable edge endpoint and the right request shape, not valid credentials.

Practical implication: inventory every NGINX deployment using rewrite, if, or set directives with unnamed captures and treat them as immediate patch priority.

Heap corruption turns a single request into worker process failure

Heap buffer overflows are dangerous because they overwrite adjacent memory metadata, not just the buffer itself. In this case, repeated corruption can force the NGINX worker to abort, which creates reliable denial of service even when full code execution is not achieved. The article’s PoC shows that a small number of crafted requests can cycle worker PIDs fast enough to outpace respawn and health checks. That is why this issue behaves like an availability control failure at scale, not just a software bug in isolation.

Practical implication: monitor worker crash loops and SIGABRT patterns as indicators of exploit attempts, and isolate exposed ingress nodes from less critical workloads.

Why some environments may reach remote code execution

The same heap corruption may be pushed beyond denial of service in environments where the memory layout is exploitable, especially if the attacker can combine the overflow with memory disclosure, heap grooming, or weaker mitigation conditions. The article notes that reliable RCE can be easier when ASLR is disabled, but it also warns that hardened systems are not automatically safe if exploitation primitives can be chained. In other words, the vulnerability creates an attack path from request parsing to memory corruption to potential process takeover, depending on the surrounding runtime conditions.

Practical implication: do not scope this as a DoS-only issue; assess whether exposed NGINX nodes also sit in paths where code execution would enable credential theft or traffic manipulation.

Threat narrative

Attacker objective: The attacker aims to disrupt edge traffic and, in some environments, gain code execution on an internet-facing NGINX worker.

1. Entry occurs through a specially crafted unauthenticated HTTP request sent to a reachable NGINX endpoint using vulnerable rewrite directives.
2. Escalation follows when the request triggers heap corruption in the worker process, causing repeated worker crashes and service instability.
3. Impact can extend from denial of service to potential remote code execution in environments where the corrupted heap can be shaped into a usable exploit path.

Breaches seen in the wild

• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
• Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Unauthenticated edge parser bugs are identity-adjacent control failures, not isolated web defects. NGINX often sits in front of APIs, service endpoints, and machine-authenticated traffic, so a crash or memory corruption issue at this layer can interrupt the systems that carry NHI trust. The practical lesson is that edge exposure changes the governance priority of a vulnerability even when the exploit path is not credential-based.

Blast-radius control is the right lens for NGINX vulnerabilities in ingress-heavy estates. A single worker crash is a local failure, but repeated crashes on shared ingress infrastructure can take down authentication flows, service-to-service routing, and observability pipelines that depend on the same edge tier. Practitioners should treat exposed rewrite paths as shared control surfaces, because one bug can degrade multiple identity and access services at once.

Rewrite-rule complexity creates a named operational risk: ingress parsing exposure. The more a deployment relies on rewrite, if, and set directives with unnamed captures, the more its attack surface depends on request-shaping behavior that is hard to reason about during routine change management. This is a governance problem because the control failure is invisible until the edge starts failing under hostile input, so teams need to know where parsing logic is concentrated before they can judge exposure.

Patch urgency is driven by public exploitability, not by theoretical severity alone. Orca Security’s PoC demonstration and the public exploit release mean the vulnerability has moved from disclosure into active weaponisation potential. For practitioners, that shifts the operating assumption from 'patch when convenient' to 'patch before the ingress layer becomes the easiest path to outage.'

Ingress hardening should be aligned with zero-trust assumptions about the edge. Zero trust does not help if the reverse proxy or ingress controller itself becomes the failure point, because the trust boundary is being enforced by the component under attack. The implication is straightforward: edge identity and traffic controls must be evaluated alongside the software path that mediates them, not separately.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate finding from the same research shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations.
• For broader incident context, The 52 NHI breaches Report helps teams map how identity exposure turns into operational failure.

What this signals

Ingress exposure is becoming an identity governance issue as much as an application security issue. When edge software fronts APIs, service tokens, and authentication-dependent traffic, a crash or memory corruption bug can interrupt the very pathways that carry machine identity. Teams should map which ingress nodes also function as identity choke points, because that is where vulnerability severity becomes operational severity.

A practical response is to fold reverse proxy and gateway assets into the same exposure and criticality reviews used for NHI estates. The question is not just whether the software is patched, but whether the affected node sits in front of authentication, workload routing, or service-to-service authorization flows that cannot tolerate downtime.

Ingress parsing exposure: this is the failure mode where request-rewriting logic becomes the hidden attack surface that attackers can weaponise before application controls ever run. If the organisation cannot see which edge components use dangerous rewrite patterns, it cannot judge where a public proof-of-concept will land first.

For practitioners

• Patch vulnerable NGINX versions immediately Move to NGINX Open Source 1.30.1 or 1.31.0, or NGINX Plus R32 P6 or R36 P4, and prioritise internet-facing nodes first. Treat exposed ingress controllers and gateway fabrics as the highest-risk assets in the remediation queue.
• Find rewrite directives that use unnamed captures Search configuration for rewrite, if, and set directives that rely on unnamed regex captures such as $1 or $2, because those are the conditions the flaw exploits. Replace them with named captures where immediate patching cannot be completed.
• Track worker crash indicators as exploit signals Look for repeated worker PID cycling, SIGABRT terminations, and heap corruption messages in NGINX logs, especially on nodes exposed to the public internet. Use these indicators to separate routine instability from active exploitation attempts.
• Re-rank exposure by runtime criticality Do not treat all vulnerable instances equally. Prioritise systems that front authentication flows, service-to-service traffic, or Kubernetes ingress because a successful crash there can produce much wider service disruption than the same flaw in a low-traffic environment.

Key takeaways

• CVE-2026-42945 shows that a rewrite-module parsing flaw can move quickly from unauthenticated request handling to worker crashes and, in some environments, remote code execution.
• The practical risk is amplified by exposed ingress tiers, public exploit availability, and NGINX’s role in front of APIs and machine-identity traffic.
• Patching is the first move, but exposure review, rewrite-rule cleanup, and crash-signature monitoring are what reduce the blast radius if exploitation starts.

Key terms

• Heap Buffer Overflow: A heap buffer overflow happens when a process writes past the end of a memory buffer allocated on the heap. In NGINX-style worker processes, that corruption can crash the process, corrupt adjacent state, or, in the right conditions, become a route to code execution.
• Rewrite Directive: A rewrite directive changes how a request URI is processed before it reaches application logic. In this vulnerability class, rewrite logic is security-relevant because malformed capture handling can alter memory state during request parsing, making the directive part of the attack surface.
• Ingress Controller: An ingress controller is the component that routes external traffic into internal services, often in Kubernetes and similar environments. Because it sits at the edge, a failure there can affect authentication flows, service routing, and the availability of multiple dependent workloads at once.
• Unauthenticated Remote Exploit: An unauthenticated remote exploit can be triggered over the network without prior login or trust relationship. That matters for edge infrastructure because anyone who can reach the service can potentially trigger the bug, so exposure is defined by reachability rather than credentials.

Deepen your knowledge

NGINX vulnerability response and ingress exposure triage are covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for edge services that front machine identities or authentication flows, the course is a useful starting point.

This post draws on content published by Orca Security: CVE-2026-42945 analysis for NGINX Open Source and NGINX Plus. Read the original.