Skip to content
🌐 Network

NGINX 18-Year-Old Heap Buffer Overflow CVE-2026-42945 — CVSS 9.2 Flaw Affects All Versions Since 0.6.27 Including Modern API Gateways

A heap buffer overflow in NGINX's chunked transfer encoding handler, present since version 0.6.27 released in 2008, has been assigned CVE-2026-42945 with a CVSS score of 9.2. The vulnerability affects all NGINX versions through the latest release and has potential for both denial-of-service and remote code execution. Patches are available and the broad deployment of NGINX as a web server, reverse proxy, and API gateway makes this a wide-impact event.

3 min read
#nginx#cve-2026-42945#heap-overflow#rce#api-gateway
Article network-security

A heap buffer overflow vulnerability in NGINX’s chunked transfer encoding handler has been discovered and assigned CVE-2026-42945 (CVSS 9.2). The flaw has been present since NGINX version 0.6.27, released in 2008, meaning every NGINX version deployed in production over the past 18 years is technically affected. The vulnerability is present in NGINX mainline and stable branches, as well as commercial NGINX Plus, and affects NGINX’s widespread role as a web server, reverse proxy, load balancer, and API gateway.

Technical Detail

The vulnerability exists in how NGINX parses HTTP/1.1 chunked transfer encoding when processing certain malformed chunk size values. A specially crafted HTTP request containing a chunked body with an oversized chunk size indicator triggers a heap buffer overflow in the chunk size parsing code, corrupting adjacent memory allocations.

The primary confirmed impact is a reliable denial-of-service — a single malformed request can crash the NGINX worker process. Under specific heap layout conditions achievable through heap grooming with preceding legitimate requests, the overflow can potentially be converted to code execution, though no public RCE PoC has been demonstrated at time of writing.

The chunked transfer encoding parsing path is exercised by any HTTP/1.1 client that uses chunked request bodies — including standard clients performing file uploads, API frameworks using streaming request payloads, and HTTP/1.1 proxied traffic.

Scope

NGINX’s market share makes this vulnerability exceptionally wide-reaching:

  • Approximately 34% of all websites run NGINX
  • NGINX is embedded in hundreds of commercial appliances and products as a bundled component
  • NGINX Plus is deployed as an API gateway and load balancer in many enterprise environments
  • Kubernetes ingress controllers commonly use NGINX (nginx-ingress-controller)

Products embedding NGINX — including Citrix ADC in proxy mode, F5 NGINX Plus appliances, and various cloud-native load balancer products — may require vendor-specific patches rather than direct NGINX updates.

  • Update NGINX immediately: Apply the patched NGINX version (1.27.5 stable / 1.28.0 mainline or later). On Debian/Ubuntu: apt update && apt upgrade nginx. On RHEL/CentOS: yum update nginx.
  • Commercial products: If running NGINX Plus, apply the F5/NGINX Plus security patch. Check with your appliance vendors for any products embedding NGINX.
  • Kubernetes ingress: Update the nginx-ingress-controller Helm chart or Kubernetes deployment to the latest version containing the patched NGINX binary.
  • Temporary mitigation: If patching must be delayed, consider implementing a WAF rule that rejects requests with malformed chunked transfer encoding. This is a mitigation, not a fix.
  • API gateways: Organisations running NGINX as an API gateway (NGINX Plus with API Management) should apply the patch with priority, as API gateways typically face external traffic from a broad range of clients.

Share this article

Related Intelligence

🌐 Network

Windows Netlogon CVE-2026-41089 (CVSS 9.8): Unauthenticated Domain Controller RCE Now Actively Exploited

Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation of CVE-2026-41089 on 29 May — a stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) that allows unauthenticated remote code execution on domain controllers. CVSS 9.8. A public PoC is available. Patch domain controllers as an emergency priority.

#windows +7
🌐 Network

Pwn2Own Demonstrates Second Distinct SharePoint RCE Chain — Five Days After Patch Tuesday Fixed CVE-2026-40365

Researchers at Pwn2Own Berlin 2026 demonstrated a multi-bug SharePoint Server remote code execution chain that is entirely distinct from CVE-2026-40365, the SharePoint RCE patched in the 12 May Patch Tuesday. The new chain, targeting SharePoint's server-side processing pipeline, has no patch and will not receive one for up to 90 days.

#sharepoint +5
🌐 Network

Critical Exim MTA Remote Code Execution CVE-2026-45185 — Use-After-Free in GnuTLS Shutdown Affects Millions of Linux Email Servers

A critical use-after-free vulnerability (CVE-2026-45185) in Exim's GnuTLS TLS session shutdown handler enables unauthenticated remote code execution on any Exim installation compiled with GnuTLS support. Exim is the default MTA on Debian, Ubuntu, and many Linux distributions, putting tens of millions of internet-facing mail servers at risk. Patches are available and should be applied immediately.

#exim +4