A critical vulnerability, tracked as CVE-2026-42945 and codenamed "NGINX Rift," has been identified in the ngx_http_rewrite_module of the NGINX web server. Discovered by researchers at DepthFirst AI, this flaw has existed within the NGINX codebase for approximately 18 years. The vulnerability is a heap buffer overflow that occurs due to inconsistent state handling within NGINX's internal script engine during the processing of rewrite directives.

NGINX is a foundational component of modern web infrastructure, widely used as a web server, reverse proxy, and load balancer. Because it is deployed in high-traffic environments like API gateways, Kubernetes ingress controllers, and cloud-scale edge services, the impact of a compromise is potentially catastrophic.

Impact

The impact of CVE-2026-42945 varies depending on the system configuration, but the potential for damage is severe:

• Denial of Service (DoS): On systems utilizing specific, non-default URL rewrite configurations, an unauthenticated attacker can send specially crafted HTTP requests that trigger a heap overflow, causing NGINX worker processes to crash and restart. This can lead to a continuous crash loop, effectively taking the service offline.
• Remote Code Execution (RCE): On systems where Address Space Layout Randomization (ASLR) is disabled (a configuration sometimes found in embedded systems or performance-tuned virtual machines), an attacker could potentially achieve unauthenticated remote code execution.
• Active Exploitation: Recent intelligence from VulnCheck confirms that threat actors have already begun weaponizing this vulnerability, with exploitation attempts detected against honeypot networks shortly after the public disclosure.

Technical Details (TTPs)

The vulnerability resides in the two-pass process used by the NGINX rewrite engine to handle transformations:

1. The Mechanism: The engine performs one pass to calculate the required memory allocation and a second pass to copy the actual data into the allocated buffer.
2. The Flaw: A flaw exists when the is_args flag remains set after a rewrite containing a ? character. This causes NGINX to calculate the buffer size using unescaped URI lengths, but subsequently writes larger, escaped data (such as & expanding to %26 or + expanding to %2B) into the buffer.
3. The Trigger: Exploitation requires a specific NGINX configuration where the rewrite directive is followed by rewrite, if, or set directives, and utilizes unnamed PCRE capture groups (e.g., $1, $2) with a replacement string containing a question mark (?).
4. Memory Corruption: Attackers can use the overflow to corrupt adjacent NGINX memory pool structures or overwrite cleanup handler pointers. By using POST request bodies to "spray" fake structures into memory, attackers can force the NGINX process to execute arbitrary code during pool cleanup.

Affected Versions

The following products and versions are confirmed to be vulnerable:

• NGINX Open Source: Versions 0.6.27 through 0.9.7 and 1.0.0 through 1.30.0
• NGINX Plus: Versions R32 through R36
• NGINX Instance Manager: 2.16.0 through 2.21.1
• F5 WAF for NGINX: 5.9.0 through 5.12.1
• NGINX App Protect WAF: 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0
• NGINX Ingress Controller: 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.1
• F5 DoS for NGINX: 4.8.0
• NGINX Gateway Fabric: 1.3.0 through 1.6.2 and 2.0.0 through 2.5.1
• NGINX App Protect DoS: 4.3.0 through 4.7.0

Mitigation & Recommended Actions

The most effective defense is to upgrade to the patched versions released by F5:

• NGINX Open Source: Upgrade to 1.31.0 or 1.30.1.
• NGINX Plus: Upgrade to R36 P4 or R32 P6.

Configuration Workaround (If Patching is Not Immediately Possible)

If an immediate upgrade is not feasible, organizations should audit their NGINX configurations for vulnerable patterns. You can mitigate the risk by replacing unnamed PCRE capture groups (e.g., $1, $2) with named captures in all rewrite directives. This prevents the specific logic error in the rewrite engine that leads to the overflow.

Defensive Posture

• Enable ASLR: Ensure that Address Space Layout Randomization (ASLR) is enabled on all host operating systems to significantly increase the difficulty of achieving RCE.
• Monitor for Crashes: Implement enhanced monitoring and alerting for unexpected NGINX worker process restarts or crashes, which may indicate an ongoing DoS attack attempt.
• WAF Implementation: Utilize Web Application Firewalls (WAF) to inspect incoming URI patterns for suspicious characters and excessive lengths often associated with buffer overflow exploits.

 If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touch to find out how you can protect your organisation.