NGINX, Outlook, VMware Flaws Hit in Active Attacks

Three separate vulnerability disclosures this week put NGINX servers, Microsoft Outlook, and VMware Fusion users on high alert — with active exploitation already confirmed for one and urgent patching advised for all three. Security researchers also weighed in on a disputed test of Anthropic’s Claude Mythos model, which found only one confirmed vulnerability in the curl codebase despite earlier claims of thousands of zero-day discoveries.

CVE-2026-42945: NGINX Heap Overflow Under Active Exploitation

Active attacks targeting a critical NGINX vulnerability began over the weekend, just days after F5 released patches, according to VulnCheck. The flaw, tracked as CVE-2026-42945 and dubbed Nginx Rift, carries a CVSS score of 9.2 and is described as a heap buffer overflow in the `ngxhttprewrite_module` component. It was introduced into the NGINX codebase 16 years ago.

“We’re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published,” VulnCheck researcher Patrick Garrity warned.

The root cause, as detailed by Depthfirst, lies in the script engine’s two-pass process: one pass computes the required buffer size, the second copies data. Because internal engine state changes between passes, a rewrite replacement containing a question mark causes an unpropagated flag to produce an undersized buffer allocation — allowing attacker-controlled data to be written past the heap boundary.

On default deployments, successful exploitation triggers a server restart, causing a denial-of-service (DoS) condition. Remote code execution (RCE) is possible only if Address Space Layout Randomization (ASLR) is disabled, which is not the default on most modern systems. The vulnerability is exploitable remotely and without authentication via crafted HTTP requests, but does require a specific rewrite configuration to be present.

VulnCheck reported that a Censys query surfaces roughly 5.7 million internet-exposed NGINX servers running a potentially vulnerable version, though the truly exploitable population is a smaller subset of that figure. Depthfirst published technical details and proof-of-concept (PoC) code shortly after F5’s patch release, accelerating the exploitation timeline.

CVE-2026-40361: Zero-Click Outlook Flaw Compared to ‘Enterprise Killer’

Microsoft’s latest Patch Tuesday addressed 137 vulnerabilities, including a critical zero-click remote code execution flaw in Outlook tracked as CVE-2026-40361. The vulnerability was reported by Haifei Li, developer of the zero-day detection system Expmon, who posted on X to explain its severity and attack vector.

Despite Microsoft’s advisory describing it as a Word vulnerability, Li clarified that it affects a DLL used heavily by both Word and Outlook. The flaw is a use-after-free bug that can be triggered for RCE the moment a victim reads or previews an email — no link click or attachment interaction required.

“You definitely want to patch this sooner rather than later,” Li wrote, adding that “the danger of such 0-click bugs in Outlook is that they are triggered as soon as the victim reads or previews the email.”

Li drew a direct comparison to CVE-2015-6172, a flaw he discovered over a decade ago that was dubbed BadWinmail and labeled an “enterprise killer” at the time. He described the same attack vector and potential impact: “Essentially, anyone could compromise a CEO or CFO just by sending an email. The threat perfectly bypasses enterprise firewalls and is delivered directly to the inbox.”

Microsoft assigned CVE-2026-40361 an ‘exploitation more likely’ rating. Li noted, however, that he developed only a proof-of-concept rather than a working exploit achieving full code execution. He suggested setting Outlook to render emails in plain text as a mitigation while patches are deployed, though he acknowledged this is difficult to enforce at scale in enterprise environments.

CVE-2026-41702: VMware Fusion Privilege Escalation Patched

Broadcom released a VMware Fusion update on Thursday to address a high-severity privilege escalation vulnerability tracked as CVE-2026-41702, rated ‘important’ by the vendor. According to Broadcom’s advisory, the flaw was reported by Mathieu Farrell.

The bug is classified as a time-of-check time-of-use (TOCTOU) vulnerability occurring during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges can exploit it to escalate privileges to root on the affected system.

Broadcom’s advisory does not indicate CVE-2026-41702 has been exploited in the wild. The timing of the disclosure is notable: VMware products are a scheduled target at this week’s Pwn2Own hacking competition, where ESX exploits can earn participants up to $200,000. Broadcom has sent members of its security team to the event.

VMware Workstation, historically a popular target at Pwn2Own, has been removed from this year’s target list. CISA’s Known Exploited Vulnerabilities (KEV) catalog currently lists 26 VMware flaws, reflecting the platform’s persistent appeal to threat actors. Additional VMware patches may follow as Pwn2Own results are disclosed.

Claude Mythos vs. Curl: One Confirmed Vulnerability from 178,000 Lines

A separate but closely watched test of Anthropic’s restricted Claude Mythos AI model produced results that have divided the security community. Daniel Stenberg, lead developer of the widely used data transfer tool curl, described the findings in a blog post after a third party tested curl using Mythos on his behalf.

Mythos analyzed 178,000 lines of curl’s codebase and returned five ‘confirmed security vulnerabilities.’ On review, three were known issues already described in official documentation, and one was a bug rather than a security flaw. Only one vulnerability was confirmed by the curl developers as a genuine security issue — and it was rated low severity, with a patch expected in late June.

The result stands in contrast to Anthropic’s earlier claims that Mythos had identified thousands of zero-days ahead of its launch. Anthropic has limited Mythos access to a few dozen major organizations due to concerns about potential misuse.

Stenberg noted that other AI-powered analysis tools — including Zeropath, AISLE, and OpenAI’s Codex — had previously analyzed curl and helped identify 200 to 300 issues, including “a dozen or more” confirmed vulnerabilities. He acknowledged that AI code analysis tools are “significantly better” at finding security holes than traditional static analysis, but concluded that Mythos’ performance on curl did not match Anthropic’s stated claims.

Some security researchers counter that the results may reflect curl’s unusually mature and well-audited codebase rather than any limitation of Mythos, making it an atypical benchmark for evaluating the model’s capabilities.

What This Means

The NGINX exploitation timeline is the most operationally urgent story this week. The gap between patch release, PoC publication, and confirmed in-the-wild attacks collapsed to a matter of days — a pattern that has become routine but remains dangerous for organizations that run quarterly patching cycles. The 5.7 million potentially exposed servers figure from VulnCheck underscores the scale of the exposure, even if the truly exploitable subset is smaller.

The Outlook zero-click flaw is the higher-stakes enterprise risk over the medium term. Li’s comparison to BadWinmail is not hyperbole: a no-interaction email-based RCE that bypasses perimeter defenses is the kind of vulnerability that nation-state actors and ransomware groups prioritize for weaponization. Microsoft’s ‘exploitation more likely’ rating signals that a working exploit is considered achievable, even if one has not surfaced publicly yet.

The Claude Mythos result is a useful data point, not a verdict. Testing a frontier AI model on one of the most carefully maintained open-source codebases in existence — curl has had dedicated security audits for years — is a high bar. The more meaningful comparison will come when Mythos is tested against less-audited enterprise software. Until then, the gap between Anthropic’s marketing claims and Stenberg’s findings is worth tracking.

FAQ

What is CVE-2026-42945 and who is affected?

CVE-2026-42945 is a heap buffer overflow in NGINX’s `ngxhttprewrite_module`, affecting both NGINX Plus and NGINX Open Source. It affects servers using rewrite and set directives, and patches are available from F5 as part of its latest quarterly release.

Does the Outlook zero-click vulnerability require user interaction to exploit?

No. CVE-2026-40361 is triggered as soon as a victim reads or previews an email in Outlook — no clicks on links or attachments are needed. Rendering emails in plain text is a partial mitigation, but applying Microsoft’s Patch Tuesday update is the recommended fix.

How did Claude Mythos perform compared to other AI security tools on curl?

Mythos found one confirmed low-severity vulnerability in curl’s 178,000-line codebase. Other AI tools including Zeropath, AISLE, and OpenAI’s Codex had previously identified 200 to 300 issues in curl, with a dozen or more confirmed as genuine vulnerabilities, according to curl lead developer Daniel Stenberg.