ADVERTISEMENT

NGINX is critically vulnerable: hackers can crash servers and run remote code with no authentication

A critical NGINX vulnerability, undiscovered for 18 years, allows hackers to crash servers with ease and even take full control without authentication in some common configurations. Emergency patches for the internet’s most popular web server were released on Wednesday, but working exploits are already public.

hijack Iot devices and web servers

Image by Cybernews

Ernestas Naprys
Ernestas Naprys Senior Journalist
May 14, 2026 Updated: 15 May 2026 3 min read

Millions of servers in danger

Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Add us as your Preferred Source on Google.
ADVERTISEMENT

3 more vulnerabilities

  • CVE-2026-42946: (8.3 out of 10) is an excessive memory allocation issue in two modules. Attackers can trigger a state mismatch, which causes NGINX to calculate a key length of roughly 1 terabyte, crashing the worker process.
  • CVE-2026-40701: (6.3 out of 10) is a use-after-free bug in NGINX’s SSL handling. If a TLS connection closes during a DNS lookup, NGINX destroys the connection’s memory pool without canceling the resolver request. The DNS timer later attempts to access freed memory, crashing the worker process.
  • CVE-2026-42934: (6.3 out of 10): An out-of-bounds read bug in NGINX's character encoding module. An off-by-one error (a counting mistake) causes NGINX to read memory just outside its intended boundary, which can corrupt its internal state.

ADVERTISEMENT