thehackernews.com web signal

AI scanner exposes 18-year nginx RCE flaw

cybersecurity ai-security vulnerabilities open-source

Key insights

  • CVE-2026-42945 is a CVSS 9.2 heap buffer overflow in nginx's rewrite module, present since version 0.6.27 released in 2008.
  • A public proof-of-concept exploit was published on GitHub on the same day as disclosure, eliminating any grace period for patching.
  • An autonomous AI scanner made the discovery, demonstrating AI's ability to find long-dormant vulnerabilities that human audits repeatedly missed.

Why this matters

AI-assisted vulnerability research is now operating faster than traditional patch cycles can absorb — a same-day PoC on a CVSS 9.2 flaw means defenders have hours, not weeks, and any organization running nginx on an internet-facing workload should treat this as an active incident response event. The 18-year dormancy period directly challenges the assumption that widely deployed open-source software benefits from sufficient human review; AI scanners are likely to surface more such legacy flaws in core infrastructure at an accelerating rate. For technical leaders, this is a forcing function to re-evaluate how quickly their organizations can operationalize emergency patches across nginx fleets, which in cloud-native environments often spans dozens of services and teams.

Summary

An autonomous AI security scanner has surfaced a critical heap buffer overflow in nginx's URL rewrite module that went undetected for 18 years — CVE-2026-42945, CVSS 9.2 — affecting every nginx release from 0.6.27 through 1.30.0 and enabling unauthenticated remote code execution. The flaw lives in how nginx handles unnamed PCRE captures inside rewrite directives, a configuration pattern common enough that the vulnerable attack surface is enormous. A proof-of-concept exploit landed on GitHub the same day the CVE was disclosed, compressing the window between patch release and active exploitation to near zero. Essentially: (nginx/F5, the broader web infrastructure community) are now racing to patch a vuln that has been quietly present in production servers since the Bush administration. - CVE-2026-42945 scores CVSS 9.2 with no authentication required, making it a top-priority patch for any internet-facing nginx deployment. - Fixes ship in nginx 1.30.1 (stable) and 1.31.0 (mainline); operators unable to patch immediately should migrate rewrite rules from unnamed to named PCRE captures as a mitigation. - The discovery was made by an AI scanner, not a human researcher, underscoring how automated tooling is now finding vulnerabilities that years of manual audits missed. Nginx powers an estimated 34% of the world's web servers, so the patch adoption rate over the next 30 days will determine the actual blast radius of this disclosure.

Potential risks and opportunities

Risks

  • Organizations running nginx in containerized or microservices environments may have hundreds of unpatched instances that are difficult to inventory, with exploitation possible within days of PoC publication.
  • Managed hosting providers and CDN operators (Cloudflare, Fastly, AWS CloudFront where nginx is embedded) face reputational and liability exposure if customers are breached before patches are fully deployed across shared infrastructure.
  • State-sponsored and ransomware groups could integrate the public PoC into mass-exploitation tooling within 72 hours, targeting unpatched government and critical infrastructure nginx deployments before patch cycles complete.

Opportunities

  • AI-powered vulnerability scanning vendors (Semgrep, Snyk, Aikido Security) can point to this discovery as direct evidence of AI's detection superiority over manual audits, likely accelerating enterprise sales cycles.
  • Patch management and infrastructure automation platforms (Ansible, Puppet, Chef, Wiz) have a concrete near-term upsell opportunity helping nginx operators identify and remediate affected instances at scale across hybrid fleets.
  • Web application firewall vendors (Imperva, Cloudflare, F5) can ship virtual patching rules for CVE-2026-42945 as an immediate stopgap, creating a purchasing moment for organizations that cannot patch production nginx on short notice.

What we don't know yet

  • Which AI scanning system or vendor made the discovery, and whether the methodology has been applied to other core web infrastructure components like Apache httpd or HAProxy.
  • Whether major cloud providers (AWS, Google Cloud, Cloudflare) running nginx-based infrastructure have already deployed mitigations internally ahead of the public patch.
  • The realistic percentage of nginx deployments using unnamed PCRE captures in rewrite rules, which would determine the true exploitable surface across the estimated 500 million+ nginx-served domains.

Originally reported by thehackernews.com

Read the original article →

Original headline: NGINX Rift CVE-2026-42945: AI Scanner Finds 18-Year-Old CVSS 9.2 Heap Buffer Overflow Enabling RCE on All nginx Versions, PoC Published