Attackers exploit NGINX heap overflow bug to crash servers and run code remotely.
- Exploit targets NGINX heap buffer overflow in ngx_http_rewrite_module
- Bug impacts NGINX Plus and Open from 0.6.27 to 1.30.0
- Attackers crash worker processes and attempt remote code execution
A newly disclosed security flaw in the popular web server NGINX is now under active exploitation, just days after its public disclosure. The vulnerability, tracked as CVE-2026-42945 with a CVSS score of 9.2, is a heap buffer overflow in the ngx_http_rewrite_module. This bug affects NGINX Plus and NGINX Open versions from 0.6.27 through 1.30.0, putting countless production servers at risk of crashes and remote code execution attempts.
Security researchers at VulnCheck first spotted the exploit in live attacks on Tuesday, mere hours after details of the bug emerged. The flaw lets an attacker send a specially crafted HTTP request that overflows a heap buffer, causing NGINX worker processes to crash. In some cases, attackers can chain this crash into a full remote code execution attack, giving them control over the server.
How the exploit works
The heap overflow sits in NGINX’s URL rewrite module, which admins use to redirect or change URLs on the fly. An attacker crafts a request with a malformed URL that triggers the buffer overflow. The overflow corrupts memory in a way that either kills the NGINX worker process outright or, worse, lets the attacker run code with the same privileges as the NGINX process. Since NGINX often runs as root, the impact can be severe.
The Hacker News reported the bug on Monday after it was privately disclosed to NGINX maintainers. The NGINX team released version 1.30.1 last week with a fix, but many admins haven’t patched yet. VulnCheck’s telemetry shows exploit attempts spiking globally, with the highest concentrations in North America and Europe.
Who’s at risk and what to do
Any organization running an unpatched version of NGINX Plus or Open is vulnerable. That includes cloud providers, hosting firms, and enterprises using NGINX as a reverse proxy, load balancer, or static web server. The exploit doesn’t require authentication, so attackers can target exposed servers directly from the internet.
Admins should upgrade to NGINX 1.30.1 or later immediately. If patching isn’t possible, NGINX suggests disabling the ngx_http_rewrite_module or restricting access to the server via firewall rules. NGINX also recommends monitoring worker process crashes as a sign of exploitation.
Security firm depthfirst noted that the exploit is trivial to reproduce, which is why it’s spreading so fast. They’ve seen attackers using the bug to install cryptominers and web shells on compromised servers. The simplicity of the attack means script kiddies and advanced actors alike are likely using it.
The broader impact could be messy. NGINX powers about 30% of all websites, so widespread exploitation risks outages for sites that rely on it. Cloud providers like Amazon AWS and Cloudflare have already started pushing patches to their managed NGINX offerings, but smaller firms may lag behind.
This isn’t the first time NGINX has faced major vulnerabilities. In 2022, a flaw in the ngx_http_lua_module led to remote code execution on thousands of servers. The pattern shows that even mature software can slip up, and admins must stay vigilant about updates.
For now, the best defense is to patch fast. If you run NGINX, check your version and upgrade immediately. Watch your logs for crashes or odd requests, and assume you’re a target until proven otherwise.
What You Need to Know
- Source: The Hacker News
- Published: May 17, 2026 at 11:57 UTC
- Category: Security
- Topics: #hackernews · #security · #vulnerabilities · #vulnerability · #exploited · #wild
Read the Full Story
This is a curated summary. For the complete article, original data, quotes and full analysis:
All reporting rights belong to the respective author(s) at The Hacker News. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.
Curated by GlobalBR News · May 17, 2026
🇧🇷 Resumo em Português
Um ataque silencioso começou a derrubar servidores NGINX em todo o mundo, expondo milhares de sites brasileiros a invasões que podem roubar dados ou sequestrar sistemas. A vulnerabilidade, descoberta na semana passada, permite que criminosos derrubem serviços online ou até mesmo executem códigos remotamente, transformando servidores aparentemente estáveis em alvos fáceis para ciberataques.
O Brasil, que abriga milhões de sites e serviços críticos rodando NGINX — desde pequenas empresas até grandes corporações —, está especialmente vulnerável. A falha, classificada como heap buffer overflow, ocorre quando um invasor envia pacotes maliciosos que sobrecarregam a memória do servidor, permitindo a execução de comandos arbitrários. Especialistas alertam que, sem atualizações urgentes, sistemas brasileiros podem ser usados para ataques em cadeia, como DDoS ou ransomware, ou até mesmo servir de base para espionagem digital. A recomendação é clara: aplicar os patches liberados pela F5 (dona do NGINX) o mais rápido possível, pois o tempo urge.
Enquanto empresas e órgãos governamentais correm contra o relógio, a expectativa é que novos exploits surjam nas próximas horas, tornando a atualização uma questão de sobrevivência digital.
The Hacker News
Read full article at The Hacker News →This post is a curated summary. All rights belong to the original author(s) and The Hacker News.
Was this article helpful?
Discussion