A critical heap buffer overflow in the NGINX ngx_http_rewrite_module (CVE-2026-42945) affects 18 years of NGINX releases and spans NGINX Open Source, NGINX Plus, NGINX Instance Manager, NGINX App Protect WAF, NGINX App Protect DoS, NGINX Gateway Fabric, and NGINX Ingress Controller. Unconditional unauthenticated denial-of-service is possible against any affected instance; remote code execution is conditional on deployment context. A public proof-of-concept is available on GitHub, lowering the exploitation skill threshold. Three companion CVEs indicate related memory management weaknesses in the same subsystem. F5 has issued patches.