| Multiple vulnerabilities have been discovered in NGINX. NGINX is a software used for web serving, reverse proxying, caching, and load balancing. Successful exploitation of the most severe of these vulnerabilities may allow an unauthenticated threat actor to crash vulnerable NGINX worker processes by sending crafted HTTP requests. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, exploitation may result in remote code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights. |
| Threat Intelligence |
| A proof-of concept exploit has been published by DepthFirst. In addition, an individual at VulnCheck has reported that CVE-2026-42945 has been exploited in the wild. |
| Systems Affected |
| NGINX Open Source 0.6.27 through 1.30.0 NGINX Plus R32 through R36 NGINX Instance Manager 2.16.0 through 2.21.1 F5 WAF for NGINX 5.9.0 through 5.12.1 NGINX App Protect WAF 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0 F5 DoS for NGINX 4.8.0 NGINX App Protect DoS 4.3.0 through 4.7.0 NGINX Gateway Fabric 1.3.0 through 1.6.2 and 2.0.0 through 2.5.1 NGINX Ingress Controller 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.1 |
| Risk |
| Government: – Large and medium government entities: High – Small government entities: Medium |
| Businesses: – Large and medium business entities: High – Small business entities: Medium |
| Home Users: Low |
| Recommendations |
| Apply appropriate updates provided by F5 or other vendors which use this software to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. |
| References |