CVE-2026-42945 — NGINX Open Source / Plus: 18-year-old heap buffer overflow, ITW confirmed

First covered 2026-05-15 as disclosure-only; upgraded to Active ITW on 2026-05-17 via VulnCheck honeypot data. This is the fastest-to-exploitation transition in the week's CVE set. Patch to NGINX 1.28.0 (stable) / NGINX Plus R35 immediately. For environments unable to patch, identify nginx.conf rewrite blocks with unnamed PCRE capture groups and add upstream rate-limiting or WAF rules filtering ?-containing rewrite-matching requests.