A critical vulnerability in NGINX, the world's most widely deployed web server, is now being actively exploited by attackers. The flaw, identified as CVE-2026-42945 and nicknamed NGINX Rift, was disclosed just last week. Security researchers at VulnCheck confirmed on Saturday that exploitation attempts have been detected in the wild, with their canary systems flagging malicious activity as early as May 16.
NGINX Rift is a memory corruption vulnerability residing in the ngx_http_rewrite_module. It can be triggered by sending a specially crafted HTTP request to a vulnerable NGINX instance. The bug allows an unauthenticated, remote attacker to corrupt the heap of an NGINX worker process. In many configurations, this reliably causes a denial-of-service (DoS) condition, but under specific circumstances it may also lead to unauthenticated remote code execution (RCE).
What is NGINX and why does this matter?
NGINX is not just another web server; it is a cornerstone of modern internet infrastructure. Originally created by Igor Sysoev and first released in 2004, NGINX is designed for high concurrency, low memory usage, and scalability. It powers a significant portion of the world's busiest websites, including streaming platforms, e-commerce sites, and enterprise applications. Beyond serving static and dynamic content, NGINX commonly operates as a reverse proxy, load balancer, HTTP cache, and API gateway.
The software is maintained by F5 Networks, which offers both an open-source edition (NGINX Open Source) and a commercial version (NGINX Plus). F5 also integrates NGINX into its broader application delivery and security portfolio, including the NGINX Ingress Controller for Kubernetes, F5 Web Application Firewall (WAF) for NGINX, and F5 DoS for NGINX. Because of its pervasive use, vulnerabilities in NGINX have the potential to affect millions of servers worldwide.
Technical details of CVE-2026-42945
The vulnerability affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus versions R32 through R36. It also impacts various F5 products that bundle NGINX, such as the NGINX Ingress Controller and F5 WAF for NGINX. The root cause lies in a memory corruption bug within the rewrite module's handling of regular expression captures.
Specifically, the flaw manifests when a rewrite directive uses an unnamed regex capture ($1, $2) combined with a replacement string that includes a question mark, followed by another rewrite, if, or set directive. Under this pattern, NGINX miscalculates the required buffer size for certain escaping operations, leading to a heap buffer overflow. The overflow writes past the allocated memory boundary, and the content written is derived from the attacker-controlled URI. This gives the attacker deterministic control over the corruption.
Repeated exploitation can force NGINX worker processes into a crash loop, effectively rendering the server unavailable for all sites hosted on that instance. The DoS impact is straightforward and does not require any special configuration beyond having the vulnerable rewrite pattern in place. However, achieving remote code execution is more challenging and depends on additional factors.
Exploitation and proof-of-concept
The vulnerability was discovered by researchers at Depthfirst using their AI-native vulnerability detection platform. Along with four other security issues, they reported CVE-2026-42945 to F5, which subsequently released patches. Depthfirst then published a detailed technical write-up and a proof-of-concept (PoC) exploit, enabling the security community to test and verify the flaw.
According to VulnCheck's Initial Access team, their honeypot systems began recording exploitation attempts three days after the public disclosure. The attackers appear to be scanning for vulnerable NGINX instances and attempting to trigger the DoS condition. While code execution is not guaranteed, security researchers including Kevin Beaumont have noted that successful RCE is possible if the attacker can disable address space layout randomization (ASLR) on the target system. ASLR is a standard mitigation that randomizes memory addresses to prevent exploits. On many servers, ASLR can be disabled by an attacker with sufficient access or through another vulnerability, but it is not a trivial prerequisite.
A key limitation is that not every NGINX instance is vulnerable. The server must be running a specific rewrite configuration that triggers the bug. A Censys scan revealed approximately 5.7 million internet-exposed NGINX servers running a potentially vulnerable version, though the subset with the exact required rewrite pattern is likely much smaller. Nevertheless, given NGINX's vast footprint, even a small percentage represents a significant attack surface.
Patches and mitigation
F5 has released patches for all affected product lines. For NGINX Open Source, the fixed versions are 1.31.0 and 1.30.1. NGINX Plus users should upgrade to R36 P4 or R32 P6. F5 WAF for NGINX v5.13.0 and F5 DoS for NGINX v4.9.0 also include the fix. Additionally, F5 provided a mitigation for administrators who cannot immediately patch: replacing unnamed captures with named captures in rewrite definitions. For example, using $name instead of $1 avoids the buffer miscalculation.
Major Linux distributions have moved quickly to address the issue. AlmaLinux, Ubuntu, and Debian have released updated nginx packages. Red Hat and CentOS users are also advised to check for updates or apply the mitigation manually. Cloud providers and managed hosting services that utilize NGINX are likely rolling out patches across their infrastructure.
The long-term lesson is that even foundational software components can harbor subtle memory corruption bugs when complex features like regex captures interact with string escaping. The rewrite module is a powerful tool for URL manipulation, but this incident highlights the importance of rigorous testing, especially for configurations that combine multiple directives.
Given the active exploitation, organizations running NGINX should prioritize patching or applying the mitigation. Attackers are actively scanning the internet for vulnerable servers, and even a temporary DoS can disrupt business-critical services. The security community continues to monitor for signs of more sophisticated campaigns aiming for code execution. As ASLR bypass techniques evolve, the risk may increase, but for now, the primary threat remains service disruption.
Source: Help Net Security News