Active Exploitation of Critical 'NGINX Rift' Vulnerability (CVE-2026-42945) Threatens Web Servers with RCE

Executive Summary

A critical, 18-year-old vulnerability in NGINX Open Source and NGINX Plus is under active exploitation. The vulnerability, identified as CVE-2026-42945 and nicknamed "NGINX Rift," is a heap buffer overflow in the ngx_http_rewrite_module. A remote, unauthenticated attacker can send a specially crafted HTTP request to a vulnerable server, causing the NGINX worker process to crash, resulting in a denial-of-service (DoS) condition. Under certain conditions, such as when Address Space Layout Randomization (ASLR) is disabled, the flaw could be leveraged for remote code execution (RCE). Security firm VulnCheck has confirmed detecting active exploitation attempts against its honeypots. F5, the developer of NGINX, has released patches, and immediate action is required.

Vulnerability Details

CVE-2026-42945 is a heap-based buffer overflow vulnerability rooted in the way the ngx_http_rewrite_module handles URI rewrites. The flaw has a CVSS score of 9.2, reflecting its critical severity. Exploitation is contingent on a specific but common server configuration. The vulnerability is triggered when all of the following conditions are met:

1. A rewrite directive is used in the NGINX configuration.
2. The regex in the rewrite directive uses an unnamed capture group (e.g., (.*) which is referenced by $1).
3. The replacement string for the rewrite contains a literal question mark (?).
4. This rewrite directive is followed by another rewrite, if, or set directive.

This combination of directives causes a miscalculation in the memory size required for the rewritten URI. The server allocates a buffer that is too small, and when the attacker provides a crafted request, data is written past the end of this buffer, corrupting the memory heap. This corruption reliably crashes the worker process and can potentially be controlled for arbitrary code execution.

Affected Systems

The vulnerability affects a wide range of NGINX versions spanning nearly two decades:

• NGINX Open Source: Versions 0.6.27 through 1.30.0
• NGINX Plus: Versions R32 through R36

Given that NGINX powers over a third of the world's websites, the number of potentially vulnerable systems is in the tens of millions.

Exploitation Status

Active exploitation began just days after the vulnerability's public disclosure. VulnCheck reported that its honeypot network detected exploitation attempts over the weekend of May 16-17, 2026. The current in-the-wild attacks appear focused on causing DoS by crashing worker processes. However, the public availability of a proof-of-concept (PoC) exploit increases the risk that more sophisticated attackers will develop a reliable RCE exploit, especially for targeting environments with weakened security postures (e.g., disabled ASLR).

Impact Assessment

The impact of CVE-2026-42945 is severe and widespread:

• Denial of Service (DoS): The most immediate and reliable impact is DoS. An attacker can repeatedly send malicious requests to crash all NGINX worker processes, making the web application or service completely unavailable.
• Remote Code Execution (RCE): While more complex to achieve, RCE is a possible outcome. A successful RCE exploit would give an attacker full control over the web server, allowing them to steal data, install malware, or use the server to attack other systems.
• Business Disruption: For e-commerce, media, and SaaS companies that rely on NGINX, the DoS impact alone can lead to significant revenue loss and reputational damage.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Detection Methods

1. Configuration Scanning: Proactively scan all NGINX configuration files for the vulnerable rewrite pattern. Automated scripts can be used to check for this across a large fleet of servers.
2. Web Application Firewall (WAF): Deploy WAF rules to inspect incoming HTTP requests for patterns that match the exploit. A rule could block requests with excessively long URIs targeting pages known to have vulnerable rewrite rules.
3. Log Monitoring: Implement centralized logging for NGINX access.log and error.log. Create SIEM alerts for a high rate of worker process crashes or for access attempts that match the exploit signature.

Defensive D3FEND techniques like Inbound Traffic Filtering and File Content Rules can be used to build detection and blocking capabilities.

Remediation Steps

Immediate remediation is crucial. Organizations have two primary options:

1. Upgrade NGINX (Recommended): The most effective solution is to upgrade to a patched version. F5 has released:

   • NGINX Open Source 1.30.1 or later.
   • NGINX Plus R37 or later.

2. Apply Workaround (If patching is not possible): If an immediate upgrade is not feasible, the vulnerability can be mitigated by modifying the NGINX configuration. The workaround involves replacing the unnamed regex capture with a named capture group.

   • Vulnerable configuration: rewrite ^/path/(.*)$ /newpath?arg=$1;
   • Mitigated configuration: rewrite "^/path/(?<capture>.*)$" /newpath?arg=$capture;

   This change avoids the code path with the buffer overflow vulnerability. After applying the workaround, reload the NGINX configuration (nginx -s reload).