Overview
- VulnCheck reports in-the-wild exploitation of CVE-2026-42945 against its NGINX honeypots, with automated scans and PHP web‑shell drops traced to a single Chinese IP.
- The vulnerability is a heap buffer overflow in ngx_http_rewrite_module that a crafted URL can trigger to overwrite memory and crash worker processes.
- Researchers have shown remote code execution only when Address Space Layout Randomization is disabled and a specific vulnerable rewrite configuration is known.
- F5 and NGINX released patches and guidance, and administrators who cannot upgrade immediately can switch to named capture rewrites as a stopgap.
- VulnCheck and Censys data indicate millions of internet-facing NGINX instances run affected versions, increasing the risk for unpatched deployments even if only a subset is exploitable.