Five Critical CVEs Demand Immediate Patching

Microsoft, F5, Broadcom, and Drupal each disclosed or saw active exploitation of serious security flaws this week, with one NGINX heap overflow already being weaponized in the wild just days after its patch dropped and a zero-click Outlook bug drawing comparisons to a decade-old “enterprise killer.” The disclosures span web servers, email clients, virtualization software, and a widely deployed CMS — a broad surface area that security teams will need to triage simultaneously.

NGINX CVE-2026-42945: Active Exploitation Begins

The most urgent issue this week is CVE-2026-42945, a heap buffer overflow in NGINX’s `ngxhttprewrite_module` carrying a CVSS score of 9.2. According to SecurityWeek, F5 patched the flaw as part of its latest quarterly release — 16 years after the bug was first introduced into the codebase.

The vulnerability stems from a two-pass process in NGINX’s script engine: one pass calculates the required buffer size, and a second copies data into it. Because internal engine state changes between the two passes, a crafted rewrite rule containing a question mark character causes an unpropagated flag to allocate an undersized buffer. Attacker-controlled URI data then writes past the heap boundary.

Exploitation is already underway. Patrick Garrity, researcher at VulnCheck, warned that the firm’s canary sensors detected active exploitation of CVE-2026-42945 “just days after the CVE was published.” The attack window opened almost immediately after Depthfirst published technical details and proof-of-concept code.

On default deployments with ASLR enabled, exploitation causes a worker process crash — a denial-of-service condition. If ASLR is disabled, remote code execution is achievable, though VulnCheck notes that reaching RCE requires sophisticated heap manipulation techniques including cross-request heap feng shui. VulnCheck’s Censys query identified roughly 5.7 million internet-exposed NGINX servers running a potentially vulnerable version, though the firm emphasizes the truly exploitable subset is smaller since the bug requires a specific rewrite configuration.

Microsoft Patches Zero-Click Outlook RCE

Microsoft’s May Patch Tuesday addressed 137 vulnerabilities, but one stands out for enterprise risk: CVE-2026-40361, a zero-click use-after-free bug affecting a DLL shared by both Word and Outlook.

Haifei Li, developer of the zero-day detection platform Expmon and the researcher credited with reporting the flaw, posted on X that the vulnerability is exploitable the moment a victim reads or previews an email — no link click or attachment interaction required. “The danger of such 0-click bugs in Outlook is that they are triggered as soon as the victim reads or previews the email,” Li wrote, adding that the flaw resides in Outlook’s email rendering engine, making it difficult to block at the network perimeter.

Li drew an explicit comparison to CVE-2015-6172, a flaw he discovered over a decade ago that was labeled “BadWinmail” and called an “enterprise killer” at the time. The new bug shares the same attack vector and potential impact. “Essentially, anyone could compromise a CEO or CFO just by sending an email,” Li said, noting the threat bypasses enterprise firewalls entirely.

Microsoft rated CVE-2026-40361 as “exploitation more likely.” Li clarified that he developed only a proof-of-concept demonstrating the vulnerability’s existence, not a working exploit achieving full code execution. The recommended interim mitigation — configuring Outlook to render emails in plain text only — degrades usability but eliminates the attack surface.

Drupal Warns of Imminent “Highly Critical” Patch

Drupal’s security team issued a pre-announcement this week warning administrators to prepare for a patch dropping May 20 between 17:00 and 21:00 UTC for a flaw rated “highly critical” — the CMS’s most severe classification tier.

According to SecurityWeek, the developers believe an exploit could be created within hours or days of public disclosure, and they declined to share any technical details before the patch window. Affected versions include:

• Drupal 11.3.x
• Drupal 11.2.x
• Drupal 10.6.x
• Drupal 10.5.x

The significance here is historical context. Drupal has patched 40 vulnerabilities so far in 2026, but none have reached “highly critical” severity. No Drupal vulnerabilities have been exploited in the wild since 2019, and the last wave of mass exploitation — the Drupalgeddon and Drupalgeddon2 campaigns — compromised large numbers of sites before patches could be applied broadly. Administrators running any of the above versions should block time in their calendars for the May 20 window and be prepared to apply the update immediately upon release.

VMware Fusion Privilege Escalation Flaw Patched

Broadcom released a VMware Fusion update addressing CVE-2026-41702, a high-severity time-of-check time-of-use (TOCTOU) flaw rated “important” by the vendor. Reported by Mathieu Farrell, the vulnerability occurs during an operation performed by a SETUID binary.

According to SecurityWeek, a local non-administrative user can exploit the race condition to escalate privileges to root on the affected macOS system. No active exploitation has been reported, and Broadcom’s advisory does not indicate in-the-wild attacks.

The timing is notable: the patch arrives as VMware products are being targeted at the Pwn2Own hacking competition, where ESX exploits carry bounties of up to $200,000. Broadcom sent members of its security team to the event. CISA’s Known Exploited Vulnerabilities catalog already lists 26 VMware flaws, underscoring the platform’s persistent attractiveness as an attack target. VMware Workstation, historically a popular Pwn2Own target, was removed from this year’s competition scope.

Patch Priority and Exposure Analysis

With four separate disclosure events landing in the same week, security teams face a triage problem. A rough priority ordering based on exploitability and exposure:

1. CVE-2026-42945 (NGINX) — Active exploitation confirmed, 5.7M potentially exposed servers, no authentication required. Patch immediately; restrict rewrite configurations if patching is delayed.
2. CVE-2026-40361 (Outlook/Word) — Zero-click, no authentication, enterprise-wide email delivery vector. Apply May Patch Tuesday updates; enable plain-text rendering as interim mitigation.
3. Drupal (unassigned CVE) — Patch releases May 20; exploitation expected within hours of disclosure. Schedule the update window now.
4. CVE-2026-41702 (VMware Fusion) — Local access required, no active exploitation reported. Patch within normal cycle, prioritize multi-tenant or shared macOS environments.

What This Means

The NGINX situation illustrates a pattern that has become familiar: a critical patch drops, a researcher publishes PoC code within days, and threat actors weaponize it before most administrators have completed their patch cycles. The 16-year latency of CVE-2026-42945 in the NGINX codebase is a reminder that widely deployed open-source infrastructure often carries old, unaudited code paths that only surface when someone looks closely.

The Outlook zero-click flaw is the more strategically dangerous disclosure. Email-borne, zero-interaction RCE against enterprise targets is among the highest-value attack primitives available to threat actors, particularly those running targeted campaigns against executives or finance teams. The comparison to BadWinmail is apt — that flaw required significant organizational response in 2015, and this one warrants the same urgency.

Drupal’s pre-announcement approach — alerting administrators to reserve patch time without revealing vulnerability details — is a reasonable attempt to compress the window between disclosure and mass patching. Whether it succeeds depends on how quickly administrators act once the advisory goes live on May 20.

Collectively, this week’s disclosures reinforce that patch cadence is not a quarterly exercise. At least two of these four vulnerabilities are on a timeline measured in hours, not weeks.

FAQ

What is CVE-2026-42945 and who is affected?

CVE-2026-42945 is a heap buffer overflow in NGINX’s `ngxhttprewrite_module`, rated CVSS 9.2. It affects both NGINX Plus and NGINX Open Source on servers using rewrite and set directives, and was patched by F5 in its May 2026 quarterly release after residing in the codebase for 16 years.

Does the Outlook zero-click vulnerability require the victim to open an attachment?

No. CVE-2026-40361 is triggered the moment a victim reads or previews an email in Outlook — no attachment interaction or link click is needed. Configuring Outlook to render emails in plain text only eliminates the attack surface until the May Patch Tuesday update is applied.

When will the Drupal highly critical patch be released?

Drupal’s security team scheduled the patch release for May 20 between 17:00 and 21:00 UTC, covering versions 11.3.x, 11.2.x, 10.6.x, and 10.5.x. Administrators should plan to apply the update immediately after release, as the developers expect exploits to appear within hours of disclosure.