Four Critical CVEs Actively Exploited Across NGINX, Outlook

Four significant vulnerability disclosures landed this week across NGINX, Microsoft Outlook, VMware Fusion, and the PraisonAI framework — with active exploitation already confirmed on two of them, and proof-of-concept code publicly available for a third. The disclosures span a 16-year-old heap overflow, a zero-click email bug, a local privilege escalation, and an AI framework authentication bypass that drew scanners within hours of going public.

CVE-2026-42945: NGINX Heap Overflow Under Active Attack

The most severe of the week’s disclosures is CVE-2026-42945, a heap buffer overflow in NGINX’s `ngxhttprewrite_module` carrying a CVSS score of 9.2. F5 patched the flaw — dubbed Nginx Rift — as part of its latest quarterly release, 16 years after it was introduced into the codebase.

According to VulnCheck, threat actors began exploiting the vulnerability over the weekend, just days after the CVE was published. “We’re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published,” VulnCheck researcher Patrick Garrity warned.

The root cause, as detailed by Depthfirst, is a two-pass process in the script engine: one pass computes the required buffer size, and a second copies data. When a rewrite replacement containing a question mark is used, an internal state change between the two passes causes an unpropagated flag to produce an undersized buffer allocation. Attacker-controlled escaped URI data then writes past the heap boundary.

On default deployments, successful exploitation crashes the NGINX worker process and triggers a server restart — a denial-of-service condition. Remote code execution is possible only when Address Space Layout Randomization (ASLR) is disabled, which is not the default on most modern systems.

Exploitation requires no authentication and works via crafted HTTP requests, but does require a specific rewrite configuration. VulnCheck estimates roughly 5.7 million internet-exposed NGINX servers run a potentially vulnerable version, though the genuinely exploitable subset is smaller. Patches are available for both NGINX Plus and NGINX Open Source.

CVE-2026-40361: Zero-Click Outlook RCE Patched in 137-Flaw Patch Tuesday

Microsoft’s latest Patch Tuesday addressed 137 vulnerabilities, including CVE-2026-40361, a zero-click remote code execution flaw affecting a DLL shared by both Word and Outlook. Microsoft has rated exploitation as “more likely.”

Haifei Li, developer of the zero-day detection platform Expmon, was credited with reporting the flaw and posted additional context explaining its severity. Li describes it as a use-after-free bug triggered the moment a victim reads or previews an email — no link clicks or attachment opens required.

“The danger of such 0-click bugs in Outlook is that they are triggered as soon as the victim reads or previews the email,” Li said. “Since the bugs reside in Outlook’s email rendering engine, it is difficult to mitigate or block.”

Li drew a direct comparison to CVE-2015-6172, a flaw he discovered over a decade ago that was dubbed BadWinmail and described at the time as an “enterprise killer.” CVE-2026-40361 shares the same attack vector and potential impact. “Essentially, anyone could compromise a CEO or CFO just by sending an email,” Li noted, adding that the threat bypasses enterprise firewalls and lands directly in the inbox.

A plain-text email rendering mode in Outlook is a valid mitigation, per Li, though it degrades the user experience. Li confirmed he developed a proof-of-concept but not a working exploit achieving full code execution. Microsoft has not indicated the vulnerability is being exploited in the wild.

CVE-2026-41702: VMware Fusion Privilege Escalation

Broadcom patched a high-severity vulnerability in VMware Fusion on Thursday, tracked as CVE-2026-41702 and rated “important” by the vendor. The flaw was reported by researcher Mathieu Farrell.

Broadcom’s advisory describes it as a time-of-check time-of-use (TOCTOU) flaw occurring during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges can exploit it to escalate privileges to root on the host system.

Broadcom has not indicated the flaw is being actively exploited. That said, the timing is notable: VMware products are a target category at this week’s Pwn2Own hacking competition, where ESX exploits can earn participants up to $200,000. Broadcom sent security team members to the event, and additional VMware patches may follow based on competition findings.

VMware Workstation has been removed from Pwn2Own’s target list this year, a departure from recent years when it generated significant payouts. CISA’s Known Exploited Vulnerabilities catalog currently includes 26 VMware flaws, a figure that underscores the historical exploitation rate for the product line.

CVE-2026-44338: PraisonAI Auth Bypass Scanned Within 4 Hours

A fourth disclosure this week hit the AI tooling space. CVE-2026-44338 is an authentication bypass in PraisonAI, a multi-agent framework used to deploy autonomous AI agents. The flaw affects versions 2.5.6 through 4.6.33, which shipped with a legacy Flask API server that had authentication disabled by default.

According to Sysdig, a scanner identifying itself as `CVE-Detector/1.0` began probing the vulnerable `/agents` endpoint on internet-exposed instances within 3 hours and 44 minutes of the advisory going public. The activity consisted of two passes eight minutes apart, each pushing approximately 70 requests in roughly 50 seconds.

The first pass swept generic disclosure paths including `/.env`, `/admin`, and `/users/sign_in`. The second narrowed to AI-agent surfaces. Critically, the scanner only targeted `/agents` and did not send requests to `/chat`, suggesting the goal was reconnaissance — confirming the auth bypass and logging exploitable hosts rather than achieving immediate code execution.

Sysdig assesses that reaching remote code execution via this vulnerability is not straightforward, as an unauthenticated attacker can only trigger pre-configured agent workflows. The NIST advisory notes that `/agents` returns configured agent metadata and `/chat` executes the `agents.yaml` workflow without requiring a token when the legacy server is active.

What This Means

This week’s disclosures follow a pattern that has become routine: patches release, PoC code appears within days, and exploitation begins before most organizations complete their patch cycles. The NGINX case compresses that timeline to under a week for a flaw that sat undetected for 16 years.

The Outlook zero-click bug is the highest-priority patch for enterprise environments. Unlike most RCE vulnerabilities, it requires zero user interaction and bypasses perimeter controls entirely — the attack surface is every inbox. Li’s comparison to BadWinmail is instructive: that flaw was considered severe enough to earn the “enterprise killer” label a decade ago, and the attack vector here is identical.

The PraisonAI case is a signal about AI tooling security posture. Frameworks built for rapid deployment often inherit legacy components — in this case, a Flask server with auth off by default — that create exposure the developer may not have intended. The sub-four-hour scanning window suggests automated exploit pipelines are now indexing AI-specific attack surfaces alongside traditional web infrastructure.

For VMware administrators, the Pwn2Own timing means this week’s Fusion patch may be the first of several. Organizations running VMware in multi-tenant or shared environments should treat privilege escalation flaws as high priority regardless of the “no known exploitation” status.

FAQ

What is CVE-2026-42945 and does it affect my NGINX server?

CVE-2026-42945 is a heap buffer overflow in NGINX’s `ngxhttprewrite_module`, patched by F5 in its latest quarterly release. It affects both NGINX Plus and NGINX Open Source servers using rewrite and set directives — if your NGINX configuration does not use those directives, your exposure is reduced, but F5 recommends patching all instances regardless.

Does the Outlook zero-click vulnerability require any user action to trigger?

No. CVE-2026-40361 is triggered the moment a recipient reads or previews an affected email, with no clicks on links or attachments required. The only in-place mitigation short of patching is configuring Outlook to render emails exclusively in plain text format, which Haifei Li confirmed would block the attack vector.

How quickly do attackers typically exploit newly disclosed CVEs?

Timelines vary, but this week’s disclosures illustrate the compression at both ends: the NGINX flaw saw active exploitation within days of patching, and the PraisonAI auth bypass attracted automated scanners in under four hours. Security firm Sysdig has documented this pattern repeatedly with AI-adjacent tooling, where internet exposure combined with simple authentication flaws creates fast-moving targets.