
A long-hidden flaw in a backbone of the web was found by AI, useful context for a colleague working on web infrastructure.

AI uncovers 18-year-old Nginx flaw Story flow and key facts
An AI-powered security platform has uncovered a critical vulnerability in Nginx, a web server used by nearly one-third of all websites on the internet. The flaw, tracked as CVE-2026-42945, is a heap buffer overflow in the URL rewrite module that has existed undetected for 18 years. It allows for potential remote code execution under specific configurations and has been patched in Nginx versions 1.31.0 and 1.30.1.
The discovery was made by DepthFirst AI using an LLM-powered system that identified four security bugs in total. The vulnerability affects both open-source Nginx and commercial products like Nginx Plus, with F5 issuing patches for several impacted products. Exploitation could lead to denial of service or, on systems without ASLR enabled, arbitrary code execution.
Researchers note that the multi-process architecture of Nginx makes exploitation more feasible, as worker processes inherit identical memory layouts, allowing repeated attempts without crashing the entire server. The configuration patterns required to trigger the flaw are common in API gateway setups, raising concerns about widespread exposure. Security teams are urged to update immediately, especially given the public release of proof-of-concept code.
Facts
- An AI agent from DepthFirst AI discovered CVE-2026-42945, a critical heap buffer overflow in Nginx’s URL rewrite module.
- The vulnerability has existed for 18 years and affects Nginx versions from 0.6.27 to 1.30.0, patched in 1.31.0 and 1.30.1.
- CVE-2026-42945 has a CVSS severity score of 9.2 and could allow remote code execution on systems without ASLR enabled.
- Nginx powers nearly one-third of all websites and is widely used in commercial products including F5’s Nginx Plus.
- Proof-of-concept exploit code has been published, increasing urgency for administrators to update.
Canto visual news explainer. AI tools may assist production. Editorial policy





