18-year-old NGINX vulnerability allows DoS, potential RCE

18-year-old NGINX vulnerability allows DoS, potential RCE

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

18-year-old NGINX vulnerability allows DoS, potential RCE

Information:

   NGINX is a massively used web server and reverse proxy platform, powering a third of the top ranked websites. It can efficiently balance load by distributing incoming network traffic to multiple backend servers and reduce load times by caching content.

Incident:

  An 18-year-old flaw in the NGINX open-source web server, discovered using an autonomous scanning system, can be exploited for denial of service and, under certain conditions, remote code execution.

  The vulnerability is tracked as CVE-2026-42945 and received a critical severity rating of 9.2, based on the latest version of the Common Vulnerability Scoring System (CVSS).

  CVE-2026-42945 is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0, which has been in the project’s code for roughly 18 years.

  According to DepthFirst, the vulnerability can be triggered when NGINX configurations use both the ‘rewrite’ and ‘set’ directives, a pattern the researchers say is common in API gateways and reverse proxy setups.

Incident:

  The flaw stems from inconsistent state handling in NGINX’s internal script engine, which processes rewrites in two passes: one to calculate the amount of memory to allocate, and one to copy the actual data.

  An ‘is_args’ flag remains set after a rewrite containing ‘?’, causing NGINX to calculate buffer size using unescaped URI lengths but later write larger escaped data like ‘+’ and ‘&’, leading to a heap buffer overflow.

  The researchers demonstrated unauthenticated code execution via specially crafted HTTP requests that corrupt adjacent NGINX memory pool structures, overwrite cleanup handler pointers, spray fake structures into memory via POST request bodies, and force NGINX to execute ‘system()’ during pool cleanup.

  However, remote code execution was achieved on a system with the Address Space Layout Randomization (ASLR) protection against memory-based attacks turned off. This defense is active by default, but it can be disabled to increase performance in some environments, such as embedded systems and virtual machines used for analysis.


Recommendation:

  According to F5’s security advisory, released yesterday, the flaws impact the following NGINX builds:

 

Product Branch Versions known to be vulnerable1 Fixes introduced in

 

NGINX Plus

 37.x None 37.0.0
Rx R32 - R36 R36 P4
R32 P6

 

NGINX Open Source

 1.x 1.0.0 - 1.30.0 1.31.0
1.30.1
0.x 0.6.27 - 0.9.7 Will not fix
NGINX Instance Manager 2.x 2.16.0 - 2.22.0 None
F5 WAF for NGINX 5.x 5.9.0 - 5.12.1 5.13.0

 

NGINX App Protect WAF

 5.x 5.1.0 - 5.8.0 None
4.x 4.9.0 - 4.16.0 None

Recommendation:

Product Branch Versions known to be vulnerable1 Fixes introduced in

F5 DoS for NGINX

4.x

4.8.0

4.9.0

NGINX App Protect DoS

4.x

4.3.0 - 4.7.0

None

 

NGINX Gateway Fabric

 

 2.x

2.0.0 - 2.6.0

None
1.x

1.3.0 - 1.6.2

None

 

NGINX Ingress Controller

5.x

5.0.0 - 5.4.2

None

4.x

4.0.0 - 4.0.1

None

3.x

3.5.0 - 3.7.2

None

NGINX (all other products)

All

None

Not applicable

For those unable to upgrade, F5 recommends replacing unnamed PCRE capture groups ($1, $2, etc.) in vulnerable ‘rewrite’ rules with named captures, which eliminates the main exploitation prerequisite.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)
065 725 7405 (Ms.Donraya)

References :

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2026-20195

 6/5/2026

6/5/2026

Cisco ISE

Response discrepancy

5.3

A vulnerability in an identity management API endpoint of Cisco ISE allows exploitation through observable response discrepancies in error messages. When the affected API endpoint is called, differentiated error responses are returned that reveal whether a username exists on the system. An attacker can send a series of crafted requests to the endpoint and analyze the responses to determine valid usernames.

Update to the latest version.

https://feedly.com/cve/CVE-2026-20195


 

 
2

CVE-2026-7994

6/5/2026

6/5/2026

Google Chrome on Windows prior to 148.0.7778.96

Local Privilege Escalation

7.8

Inappropriate implementation in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file.

Upgrade to 148.0.7778.96

https://nvd.nist.gov/vuln/detail/CVE-2026-7994


 
3

CVE-2025-12690

11/3/2026

7/5/2026

Forcepoint NGFW Engine through 6.10.19, through 7.3.0, through 7.2.4, through 7.1.10.

Unnecessary privileges

7.8

Execution with unnecessary privileges in Forcepoint NGFW Engine allows local privilege escalation.This issue affects NGFW Engine through 6.10.19, through 7.3.0, through 7.2.4, through 7.1.10.

Upgrade to 6.10.20, 7.1.11, 7.2.5 และ 7.3.1

https://github.com/FoundationAgents/MetaGPT/issues/1

https://nvd.nist.gov/vuln/detail/CVE-2025-12690

930
 4

CVE-2026-0300

6/5/2026

7/5/2026

Palo Alto Networks

Buffer Overflow

9.8

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets

Upgrade to
12.1.4-h5 or later
11.2.4-h17 or later
11.1.4-h33 or later
10.2.7-h34 or later

https://nvd.nist.gov/vuln/detail/CVE-2026-0300
5

CVE-2026-6973

7/5/2026

7/5/2026

Ivanti EPMM

Input validation

7.2

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

Update to 12.6.1.1, 12.7.0.1 or 12.8.0.1

https://nvd.nist.gov/vuln/detail/CVE-2026-6973

 

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

Australian organizations warned of Vidar Stealer malware campaign using ClickFix technique

08/05/2026

Malware

The Australian Cyber Security Centre (ACSC) has issued a warning regarding an attack campaign using the “ClickFix” technique, which tricks users visiting compromised WordPress websites into running malicious commands to spread the Vidar Stealer malware. The malware is designed to steal sensitive information, such as passwords saved in web browsers and other user data.
  • Avoid executing unknown or untrusted commands.
  • Conduct security awareness training for employees.
  • Regularly update systems and software to the latest versions.

Ref:https://www.scworld.com/brief/australian-organizations-warned-of-vidar-stealer-malware-campaign-using-clickfix-technique

19 May 2026

Viewed 73 time

Engine by shopup.com