Recently, NGINX has come under scrutiny after the discovery of a set of critical vulnerabilities that have remained hidden for approximately 18 years. These flaws pose a significant threat to roughly one-third of the world's web servers. In total, four vulnerabilities have been identified, with severity ratings as follows: CVE-2026-42945 (rated 9.2 as Critical), CVE-2026-42946 (rated 8.3 as High), CVE-2026-40701 (rated 6.3 as Medium), and CVE-2026-42934 (also rated 6.3 as Medium).

Attackers can exploit these vulnerabilities to crash the NGINX worker process without requiring login authentication, simply by sending specially crafted HTTP requests. Under certain conditions, they may even gain the ability to execute remote code on the server. The root cause of these vulnerabilities stems from the processing logic within the ngx_http_rewrite_module. When attackers incorporate specific characters into the URI, it triggers a buffer overflow.

The research team, depthfirst, has released a proof-of-concept demonstrating that, with Address Space Layout Randomization (ASLR) disabled, unauthorized remote code execution can be achieved. To mitigate these vulnerabilities, users of NGINX Open Source are advised to upgrade to version 1.31.0 or 1.30.1. Meanwhile, NGINX Plus users should upgrade to version R36 P4 or R32 P6 and restart their services. For those unable to upgrade immediately, it is recommended to modify unnamed regular expression captures in the affected rewrite rules to named captures, as a temporary measure.