Critical Remote Code Execution Vulnerabilities Discovered in NGINX Impact Multiple Deployments
What Happened — Researchers have identified several high‑severity flaws in NGINX (including CVE‑2026‑42945, CVE‑2026‑42946, and others) that can allow an unauthenticated attacker to crash worker processes or achieve remote code execution when ASLR is disabled. A proof‑of‑concept exploit is publicly available and CVE‑2026‑42945 has already been observed in the wild.
Why It Matters for TPRM —
- Core web‑serving and reverse‑proxy components used by thousands of third‑party vendors are vulnerable.
- Exploitation can lead to full system compromise, data theft, or service disruption for downstream customers.
- The vulnerability spans both open‑source and commercial NGINX products, increasing supply‑chain risk.
Who Is Affected — Government agencies, large and medium enterprises, cloud‑hosting providers, SaaS platforms, and any organization that relies on NGINX (Open Source, NGINX Plus, Ingress Controller, App Protect, etc.).
Recommended Actions —
- Immediately apply the latest NGINX patches covering CVE‑2026‑42945, CVE‑2026‑42946, and related advisories.
- Verify that Address Space Layout Randomization (ASLR) is enabled on all NGINX hosts.
- Conduct vulnerability scans on all web‑facing assets that run NGINX and confirm no unpatched versions remain.
- Review third‑party contracts for clauses requiring timely security updates and remediation timelines.
Technical Notes — The primary attack vector is a heap‑buffer overflow in ngx_http_rewrite_module that permits unauthenticated RCE; a secondary memory‑allocation bug can crash workers, and a use‑after‑free in the SSL module may lead to denial‑of‑service. Exploits target public‑facing HTTP endpoints. Source: CIS Advisory