18-Year-Old NGINX Vulnerability Allows RCE and DoS

Source: BleepingComputer, 14 May 2026

A serious security flaw has been found in NGINX, one of the most widely used web server platforms on the internet. According to BleepingComputer, the vulnerability, tracked as CVE-2026-42945, is reportedly 18 years old and affects NGINX versions 0.6.27 through 1.30.0. It was discovered by researchers at a company called DepthFirst AI.

What is the vulnerability?

According to BleepingComputer, the flaw sits inside a component called ngx_http_rewrite_module. It is a type of security weakness known as a heap buffer overflow, caused by inconsistent handling of certain rewrite rules in NGINX's internal script engine. In plain terms: when NGINX processes a URL rewrite containing a question mark, it miscalculates how much memory it needs, then writes more data than it reserved space for. This can cause the server to crash (denial of service) and, under certain conditions, reportedly allow an attacker to run their own code on the server (remote code execution).

Researchers at DepthFirst AI also reportedly found three additional flaws in the same code review session:

• CVE-2026-42946: excessive memory allocation in SCGI and UWSGI modules
• CVE-2026-40701: a use-after-free flaw in how NGINX handles certain DNS operations
• CVE-2026-42934: an off-by-one bug in UTF-8 text parsing that can cause out-of-bounds reads

Who is affected?

According to BleepingComputer, the affected products include a wide range of NGINX software maintained by F5:

• NGINX Open Source versions 0.6.27 through 1.30.0
• NGINX Plus R32 through R36
• NGINX Instance Manager 2.16.0 through 2.21.1
• F5 WAF for NGINX 5.9.0 through 5.12.1
• NGINX App Protect WAF and DoS products across several version ranges
• NGINX Gateway Fabric and NGINX Ingress Controller across several version ranges

What has F5 done?

According to BleepingComputer, fixes are available in NGINX Open Source 1.31.0 and 1.30.1, NGINX Plus R36 P4 and NGINX Plus R32 P6. For those who cannot upgrade immediately, F5 reportedly recommends replacing unnamed PCRE capture groups in vulnerable rewrite rules with named captures as a temporary workaround.

If you manage your own server or hosting environment, check which version of NGINX you are running and update as soon as possible.

What does this mean for your website?

If your website runs on a managed hosting plan, your hosting provider is likely responsible for keeping the server software up to date, but it is worth asking them whether they have applied the NGINX patches. If you or a developer manage your own server, check your NGINX version against the affected ranges listed above and update promptly. For a broader look at keeping your website secure, see our security checklist for small businesses.