News & Updates

Provide information such as our company's news announcements and new product version releases.

Nginx has disclosed a critical high-severity vulnerability, CVE-2026-42945, threatening approximatel
<News & Updates> | 2026-05-15

A code defect that had existed for 18 years was only formally disclosed by security teams this week.


Researchers say that attackers, without needing to log in or authenticate, can send a specially crafted HTTP request to crash an NGINX worker process. Under suitable conditions, they may also achieve remote code execution on the server.


CVE-2026-42945 traces back to 2008 and has long existed in nearly all standard NGINX builds. Given that NGINX serves approximately one-third of websites worldwide, the impact of this incident is especially significant.


The issue lies in the processing logic of ngx_http_rewrite_module. After an internal flag is set to a parameter escaping state, it is never cleared. Subsequent length calculations estimate based on the original byte count, but when actually written, the data is escaped again.


According to researchers, this causes characters in an attacker's URI ¡ª such as `+`, `%`, `&` ¡ª to expand from 1 byte to 3 bytes, overflowing a buffer that would otherwise be sufficient.


Depthfirst has produced a working proof-of-concept demonstrating unauthenticated RCE (remote code execution) when ASLR is disabled. The report also mentions a theoretical method by which an attacker could repeatedly send requests to gradually overwrite pointer bytes in an attempt to bypass ASLR.


Making matters worse, NGINX's multi‑process architecture actually gives attackers repeated opportunities to try: when a worker process crashes, the master process spawns a new one, and the heap layout may remain consistent.


On the remediation front, NGINX Open Source must be upgraded to version 1.31.0 or 1.30.1, and NGINX Plus must be upgraded to R36P4 or R32P6. The service must then be restarted to load the patched binary.


If an immediate upgrade is not possible, the official mitigation is to change unnamed regex captures in the affected `rewrite` rules to named captures. The original disclosure states that named captures do not trigger the problematic escaping path, thereby removing the current attack surface.


Simply put, this vulnerability is a security risk caused by the rewrite module. Hackers can crash NGINX simply by accessing a specially crafted URL. If you are not using rewrite (pseudo-static rules), you do not need to worry about this vulnerability.


For the remote code execution risk in Nginx, deploying the MagiAegis Defense System can resolve it. It comes with built‑in Nginx protection rules by default, which can be viewed in the "Process Protection" module.


1.png

(Nginx protection, preventing remote code execution)

MagiAegis fully supports Linux6 kernel with enhanced security
MagiAegis - Instant solutions for your security needs

A few simple steps are all it takes to solve the problem

Get started now
Product Features Download Pricing Demo
Service News & Updates Help Documentation Knowledge Base Ticket System
About About Us Contact Us
Legal Notices Terms & Conditions Privacy Policy
Contact Us admin@magiaegis​.​com @magiaegis
Copyright © MAGI AEGIS INTERNATIONAL LIMITED.