Impact statement: NGINX published May 2026 security updates for open source NGINX and NGINX Plus, including CVE-2026-42945. Public reporting rates CVE-2026-42945 as a critical memory-corruption risk that can lead to denial of service and, in specific configurations, possible remote code execution. If you run NGINX on public hosting, reverse proxies, CDN origins, Kubernetes ingress, API gateways, or customer web servers, patch now.
There is a severity-language mismatch in the public sources: NGINX’s advisory page lists the issue as medium while NVD-style public reporting uses a critical CVSS score. Hosting operators should not get stuck on the label. The fix is available, the component is internet-facing in many environments, and NGINX sits directly in front of customer traffic.
Affected Versions
NGINX lists CVE-2026-42945 as affecting open source NGINX versions 0.6.27 through 1.30.0. The fixed open source releases are NGINX 1.30.1 and NGINX 1.31.0. NGINX Plus administrators should apply the matching F5-published NGINX Plus patch for their supported release line.
The same May 2026 advisory page also lists related fixes for CVE-2026-42926, CVE-2026-42946, CVE-2026-42934, CVE-2026-40460, and CVE-2026-40701. Treat this as an NGINX security maintenance window, not a one-CVE-only task.
Who Should Prioritize This
- Public NGINX web servers and reverse proxies.
- Hosting providers using NGINX in front of Apache, PHP-FPM, Node.js, Python, or upstream app pools.
- CDN origins and customer edge gateways.
- cPanel, Plesk, DirectAdmin, Webmin/Virtualmin, and custom control-panel stacks that use NGINX.
- Kubernetes ingress, container images, and application delivery images that package NGINX.
- Load balancers and API gateways where NGINX config is generated by automation.
Check Your Version
# Show the active NGINX version.
nginx -v
# Show build options and module context.
nginx -V 2>&1 | tr ' ' 'n' | head -80
# Confirm the package source on Debian or Ubuntu.
apt-cache policy nginx
# Confirm the package source on AlmaLinux, Rocky, RHEL, or CloudLinux.
dnf info nginxIf your server reports NGINX 1.30.0 or older, check your vendor repository and update path. For NGINX Plus, follow the F5/NGINX Plus support advisory for your release line.
Patch On Ubuntu Or Debian
# Refresh repository metadata.
apt update
# Preview the available NGINX build.
apt-cache policy nginx
# Upgrade NGINX from the configured vendor repository.
apt install --only-upgrade nginx
# Validate config before reload.
nginx -t
# Reload if config validates.
systemctl reload nginxIf the distribution repository does not yet offer a fixed build, decide whether to use the official NGINX repository, a vendor backport, or a temporary maintenance plan. Do not mix random binaries into a production hosting server without documenting the package source and rollback path.
Patch On AlmaLinux, Rocky, RHEL, Or CloudLinux
# Check the current package and repository source.
dnf info nginx
# Apply the available security update.
dnf update nginx
# Validate and reload.
nginx -t
systemctl reload nginxOn cPanel, Plesk, DirectAdmin, and CloudLinux systems, confirm whether NGINX comes from the OS vendor, the control panel, a reverse-proxy plugin, or the official NGINX repository. Patch through the owner of that package source so future updates keep working.
Containers And Kubernetes
- Identify images that include NGINX, not just images named nginx.
- Rebuild custom images from a fixed base image.
- Update ingress controller images only after checking that project’s own advisory and release notes.
- Roll pods gradually and keep enough healthy replicas online.
- Confirm readiness, liveness, and traffic routing after the rollout.
# Example inventory checks.
kubectl get pods -A -o wide | grep -i nginx || true
kubectl get deployments -A | grep -i nginx || true
# After updating image references, roll one workload at a time.
kubectl rollout status deployment/YOUR-DEPLOYMENT -n YOUR-NAMESPACETemporary Mitigation If You Cannot Patch Today
The real fix is upgrading. If a production server cannot be patched immediately, review NGINX rewrite and regular-expression configuration, especially legacy rules that use unnamed captures. Move risky legacy patterns toward clearer named captures during a tested maintenance window, and validate the full config before reload. This is a stopgap, not a replacement for the fixed NGINX release.
Post-Patch Verification
# Confirm fixed version.
nginx -v
# Validate config.
nginx -t
# Confirm service status.
systemctl status nginx --no-pager
# Confirm a public site still responds.
curl -I https://example.com/Replace example.com with a domain on the server. For hosting nodes, test at least one static site, one PHP site, one proxied application, and one SSL/TLS vhost if those roles exist.
What To Review
- NGINX error logs around crashes, worker exits, and reload failures.
- Access logs for unusual request bursts against high-traffic vhosts.
- Package manager logs to confirm exactly when NGINX updated.
- Control-panel update logs if NGINX is managed by cPanel, Plesk, DirectAdmin, Webmin, Virtualmin, or a reverse-proxy plugin.
- Kubernetes event logs and rollout history for ingress or proxy workloads.
# Common log checks.
journalctl -u nginx --since "24 hours ago" --no-pager | tail -200
tail -n 200 /var/log/nginx/error.log
# Package history examples.
grep -i nginx /var/log/apt/history.log 2>/dev/null
dnf history info last 2>/dev/nullCustomer Communication
Tell customers the practical version: NGINX released a security update, edge and origin proxies are being patched, service reloads should be brief, and sites will be checked after the update. For managed hosting, mention that public websites should remain online unless a server also needs broader operating-system maintenance.
CDN And WAF Note
The CDN side should prioritize NGINX origin and reverse-proxy inventory. Virtual patching can help reduce suspicious traffic while servers are being updated, but do not depend on the edge alone. Patch the origin NGINX package, reload safely, and verify real customer traffic.
Sources
- NGINX security advisories
- NVD: CVE-2026-42945
- BleepingComputer coverage of CVE-2026-42945
- SecurityWeek coverage of NGINX memory-corruption flaw
Need help patching NGINX on hosting servers, cPanel/Plesk nodes, CDN origins, or Kubernetes workloads? Open a ticket through Help4Network.com.