š“ CVSS v4 score of 9.2. Exploitable without authentication, PoC already public.
A heap buffer overflow had been hiding in NGINX for 18 years ā and it wasn't a human security researcher who finally found it. It was an AI agent.
An LLM-based platform developed by security startup depthfirst analyzed the NGINX codebase and identified multiple vulnerabilities. The most severe of them is CVE-2026-42945, carrying a CVSS v4 score of 9.2 and classified as CWE-122 (Heap-based Buffer Overflow). The flaw resides in ngx_http_rewrite_module and is said to potentially enable unauthenticated remote code execution (RCE) or denial of service (DoS).
Vulnerability Overview
This vulnerability affects both NGINX Plus and NGINX Open Source. An attacker could trigger heap memory corruption in NGINX worker processes simply by sending a specially crafted HTTP request. A proof-of-concept (PoC) exploit has already been made public.
DoS is the near-certain outcome, with the possibility of escalating to full RCE depending on the conditions.
The Dawn of AI-Powered Bug Hunting
There's another aspect of this story worth paying attention to: how the vulnerability was found. The flaw, uncovered by depthfirst's LLM-based platform, managed to slip past countless security researchers, code reviews, and static analysis tools over 18 years.
New tools bring new perspectives ā and that's genuinely a good thing. But the flip side is that this likely signals the existence of similar undiscovered vulnerabilities lurking in other widely-used software, not just NGINX, that predate the age of AI-assisted analysis.
What You Should Do
Ā· Restart NGINX after applying the patch
Ā· Review your nginx.conf for any problematic patterns in rewrite directives
Ā· If using NGINX as a Kubernetes ingress controller, include auto-generated configuration files in your review
The ngx_http_rewrite_module has been a core component of NGINX for years. A flaw that went unnoticed for 18 years is now out in the open ā with a working PoC to go with it.