NGINX Zero Day Under Active Attack Could Crash Millions Of Servers

The security community is once again reliving a familiar nightmare: a critical flaw in a foundational piece of internet infrastructure is now being weaponized at scale, and the patch cycle is racing against an exploitation wave. The latest casualty is NGINX, the ubiquitous web server and reverse proxy that powers nearly a third of all websites. Internal documents circulating among enterprise security teams confirm that CVE-2026-42945, a critical heap overflow vulnerability, is under active exploitation in the wild. The warning from The Hacker News (@TheHackersNews) late Sunday evening has since triggered a scramble across DevOps and security engineering floors worldwide.

The bug, which carries a CVSS score of 9.8, resides in NGINX’s HTTP/2 multiplexing module. Engineers close to the project say the flaw allows an unauthenticated attacker to trigger memory corruption by sending a specially crafted sequence of HTTP/2 frames. In the worst case, this results in remote code execution with the privileges of the worker process — typically not root, but often sufficient for lateral movement within a containerized environment. The vulnerability was quietly patched in NGINX versions 1.27.8 and 1.26.8, which were released on May 12, but the rollout has been anything but smooth. Many production systems remain unpatched, and proof-of-concept exploit code surfaced on a private security research forum within 48 hours of the disclosure.

Why this matters for the reader is brutally practical: if you run NGINX in front of any public-facing application—and the vast majority of you do—your attack surface just expanded significantly. The heap overflow allows an attacker to bypass typical web application firewall protections because the exploit targets the server itself, not the application layer. Early telemetry from several major CDN providers indicates targeted scanning for NGINX instances with HTTP/2 enabled, which is the default configuration in most modern deployments.

What happens next is a now-familiar playbook. Expect a wave of automated scanning bots within the next 72 hours. The maintainers have confirmed that no workaround exists short of disabling HTTP/2 support entirely, which for many services would cause significant performance degradation. The most pressing uncertainty is whether any large-scale, high-profile exploit chains have already occurred in the days before public disclosure. Security teams should prioritize patching immediately and audit logs for any unusual HTTP/2 frame patterns dating back to early May.

Source: https://x.com/TheHackersNews/status/2055982489106370598