A critical vulnerability sitting undetected in NGINX for 18 years is now being actively weaponized. Canadian hosting providers, web application teams, and organizations running NGINX at any layer of their infrastructure need to act immediately.
What Happened
Researchers disclosed CVE-2026-42945, a critical heap buffer overflow in the ngx_http_rewrite_module component of NGINX, affecting all versions from 0.6.27 through 1.30.0 — a range covering nearly every NGINX release since 2008. The vulnerability was also disclosed in NGINX Plus R32 through R36. F5’s NGINX Ingress Controller and F5 WAF for NGINX are affected as well. The CVSS score is 9.2, placing it in the critical tier.
The flaw triggers when a rewrite directive is followed by a rewrite, if, or set directive paired with an unnamed Perl-Compatible Regular Expression (PCRE) capture group containing a question mark in the replacement string. A specially crafted HTTP request causes heap corruption. Unauthenticated attackers can reliably trigger denial-of-service by crashing NGINX worker processes. Remote code execution is possible on systems where ASLR is disabled, and researchers note sophisticated attackers can chain heap grooming techniques with memory disclosure vulnerabilities to bypass ASLR on hardened systems.
The vulnerability was discovered on April 18, 2026, reported to the vendor on April 21, and a public proof-of-concept was released on May 13. VulnCheck’s canary systems flagged active exploitation attempts beginning May 16 — three days after the PoC dropped. Help Net Security confirmed exploitation activity on May 18. NGINX released fixed versions: 1.30.2 for Open Source and R36 P2 for NGINX Plus.
Why This Matters for Canadian Organizations
NGINX is the most widely deployed web server in the world and serves as a reverse proxy, load balancer, and API gateway across Canadian hosting providers, managed service providers, financial institutions, government web properties, and cloud-native application environments. A critical unauthenticated flaw with active exploitation and a public exploit represents immediate risk to any organization that has not patched.
Canadian web hosting companies — many of which serve small businesses, municipal governments, healthcare portals, and not-for-profits — run NGINX across shared and dedicated hosting fleets. A single compromised NGINX instance on a shared hosting platform can expose all tenants on that server. For organizations using NGINX as a perimeter-facing reverse proxy, exploitation could expose backend application servers, internal APIs, and user session data.
Under PIPEDA, a breach of personal data resulting from an unpatched known vulnerability is precisely the kind of failure that constitutes inadequate security safeguards. The vulnerability has been public since May 13 — organizations that fail to patch within a reasonable timeframe after a critical advisory with active exploitation confirmed face regulatory risk. The CCCS advisory feed should be monitored for any formal advisory aligned with this vulnerability.
What to Do
Upgrade NGINX Open Source to version 1.30.2 or the latest stable release immediately. NGINX Plus users should upgrade to R36 P2. For organizations running F5 products that incorporate NGINX, apply the relevant F5 quarterly security patches released in May 2026. If immediate patching is not possible, audit your NGINX configuration and remove or simplify rewrite rule chains involving PCRE capture groups with question marks in replacement strings as a temporary mitigation — this reduces the attack surface but does not eliminate the flaw. Web application firewalls positioned in front of NGINX servers should have rules tuned to block malformed rewrite-triggering requests while patching is completed. Inventory all NGINX deployments including containerized instances, Kubernetes ingress controllers, and CI/CD pipeline tooling — these are frequently overlooked. Review server logs for anomalous HTTP requests triggering worker process crashes, which are a signal of active exploitation attempts.
Source: The Hacker News | Help Net Security
