Computer Works Computer Works
Call
Cybersecurity

Critical NGINX Vulnerability CVE-2026-42945 Is Under Active Attack — What Small Business Website Owners Need to Do Now

A critical heap buffer overflow flaw in NGINX (CVE-2026-42945) is already being actively exploited just days after disclosure. Here's what it is, why it matters for your business website, and the steps you need to take right now.

Critical NGINX Vulnerability CVE-2026-42945 Is Under Active Attack — What Small Business Website Owners Need to Do Now

If your business has a website — and chances are it does — there's a security story you need to hear right now. A critical flaw in one of the most widely used pieces of web server software on the planet is already being weaponized by attackers, less than a week after it was publicly disclosed. The flaw is called CVE-2026-42945, it carries a CVSS score of 9.2, and it affects software that quietly powers a huge portion of the internet you use every day.

What Is NGINX, and Why Should You Care?

Most people have never heard of NGINX (pronounced "engine-x"), but it's almost certainly running on servers that host the websites you visit daily. Help Net Security describes it as "the most widely deployed web server" and a fundamental piece of modern web infrastructure — used not just as a web server, but also as a load balancer, reverse proxy, and HTTP cache.

Think of NGINX as the traffic director for a website. When you type a web address into your browser, NGINX is often the software on the other end that receives your request and routes it to the right place. Its development is overseen by F5, which maintains the open-source version (NGINX Open Source) and sells a commercial edition called NGINX Plus.

For Yuba City small business owners, this matters because your website — whether it's hosted on a cloud platform, managed by a web developer, or run on a VPS — is very likely sitting behind an NGINX server. You may never touch NGINX directly, but your hosting provider almost certainly does.

What's the Actual Vulnerability?

CVE-2026-42945, nicknamed NGINX Rift by the researchers who discovered it, is a heap buffer overflow in a component called ngx_http_rewrite_module — a module included in every standard NGINX build. The flaw affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus versions R32 through R36, meaning it has technically existed since 2008, according to The Hacker News.

Here's the non-technical version of how it works: when NGINX is configured a certain way — using a common rewrite pattern that developers regularly use — an attacker can send a specially crafted HTTP request that causes the server to write data past the boundaries of its allocated memory. Because the content of what gets written is shaped by the attacker's input, this isn't random chaos; it's controlled and deterministic.

The result? Two potential outcomes:

  • Denial-of-service (DoS): The server's worker processes crash repeatedly, taking your website down.
  • Remote code execution (RCE): In more specific conditions, an attacker could potentially run malicious code on your server.

Security Affairs reports that security researcher Kevin Beaumont offered an important nuance: achieving full remote code execution requires the target server to have Address Space Layout Randomization (ASLR) disabled — which is not the default on modern Linux systems. That's actually good news, because ASLR is enabled by default on virtually every mainstream Linux distribution.

But as AlmaLinux maintainers noted, "'not easy' is not 'impossible,' and the worker-crash DoS is exploitable enough on its own that we recommend treating this as urgent." In other words: even if RCE isn't trivial, crashing your web server is, and that alone is serious enough to demand immediate action.

It's Already Being Exploited

This isn't a theoretical risk. VulnCheck security researcher Patrick Garrity reported that exploitation attempts began appearing on VulnCheck's canary systems on May 16 — just three days after the vulnerability details and a proof-of-concept exploit were made public.

A Censys query surfaced roughly 5.7 million internet-exposed NGINX servers running a potentially vulnerable version, though VulnCheck noted the truly exploitable population is a smaller subset of those, since the specific rewrite configuration must be present.

That said, "a smaller subset of 5.7 million" is still an enormous number of servers — and attackers are actively scanning for them right now.

Who Needs to Act?

This vulnerability primarily affects server administrators, web hosting companies, and IT teams managing infrastructure. Here's a quick breakdown of who should be doing what:

If you manage your own server or VPS: Update immediately. F5 has released patches in NGINX Open Source versions 1.31.0 and 1.30.1, and NGINX Plus versions R36 P4 and R32 P6. AlmaLinux, Ubuntu, and Debian have also begun releasing patched nginx packages through their package managers. Run your updates now.

If you use a managed web host (like GoDaddy, SiteGround, WP Engine, etc.): Contact your hosting provider today and ask them directly: "Have you patched CVE-2026-42945 in NGINX?" Reputable managed hosts should be patching this rapidly, but it's worth confirming — especially if your site handles customer data, e-commerce transactions, or appointment bookings.

If a web developer or IT vendor manages your server: Reach out and ask the same question. Don't assume it's been handled.

Mitigation option: F5 has also provided an interim workaround: using named captures instead of unnamed captures in rewrite definitions. If patching immediately isn't possible, a knowledgeable server admin can implement this configuration change as a stop-gap.

The Bigger Picture for Small Businesses

One thing this vulnerability illustrates clearly is how much of your business's digital security depends on software you've never heard of. NGINX isn't something most small business owners install themselves — it's baked into the infrastructure that runs beneath your website. That invisibility is precisely what makes it risky: vulnerabilities in foundational software often go unnoticed and unpatched for far longer than they should.

The pattern here — critical flaw disclosed, PoC published, exploitation begins within days — is becoming the new normal. As we covered with the May Patch Tuesday roundup, attackers have accelerated their timelines dramatically. The window between "flaw made public" and "flaw actively weaponized" is now measured in days, not weeks.

If you're a local business owner unsure whether your website infrastructure is up to date, or if you're managing any kind of server environment and want a second set of eyes on your exposure, we're happy to help at Computer Works. Our /business IT services are built around exactly these kinds of situations — keeping the software you rely on protected before attackers get there first.

For now, the most important step is simple: call your hosting provider or web developer today and confirm they've applied the NGINX patches. Don't let a piece of software you've never heard of become the reason your website goes dark — or worse.

Recommended
Proton VPN
Proton VPN
Protect your browsing
Proton Mail
Proton Mail
Encrypted email
Related local service
Worried this could be malware?
If your computer has pop-ups, redirects, suspicious downloads, or ransomware warnings, start with our local virus removal page.
Call Us View virus removal
Tags
cybersecurity vulnerability web-security patch-management small-business-it
← Back to all posts