“Heap overflow vulnerability (CVE-2026-42945) in NGINX’s rewrite/set script engine present since 2008. The flaw enables attackers to corrupt memory and execute commands on widely deployed systems.”
Eighteen years sitting in the rewrite engine of the most deployed web server on the planet. Every security audit that ever touched NGINX missed it. Patch and rotate, but the more useful lesson is that “battle-tested” mature C code is not the same as audited C code. Nobody actually reads the rewrite module.