NGINX Rift: An 18-Year-Old Flaw in the World’s Most-Used Web Server Now Enables Unauthenticated Remote Code Execution
NGINX Rift: An 18-Year-Old Flaw in the World’s Most-Used Web Server Now Enables Unauthenticated Remote Code Execution
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution β No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
NGINX Rift: An 18-Year-Old Flaw in the World’s Most-Used Web Server Now Enables Unauthenticated Remote Code Execution
CVE-2026-42945, a heap buffer overflow dormant since 2008, was disclosed on May 13, 2026 alongside a working public proof-of-concept. Hundreds of millions of servers are affected. Here is everything administrators need to know.
A working exploit is publicly available on GitHub. If your NGINX configuration uses rewrite and set directives together with unnamed capture groups ($1, $2) and a ? in the replacement string, you are potentially exploitable right now. Patch or apply the workaround immediately.
Background & Discovery
On May 13, 2026, security research firm depthfirst β in coordinated disclosure with F5 β published details of a critical vulnerability lurking inside NGINX since 2008. The bug was autonomously found in April 2026 when the depthfirst AI-assisted analysis system scanned the NGINX source code and flagged four separate memory corruption flaws. The most severe of these was assigned CVE-2026-42945 with a CVSS v4 score of 9.2 (Critical).
Nicknamed NGINX Rift, the vulnerability is a heap buffer overflow residing in ngx_http_rewrite_module β the core script engine that processes URL rewrite rules, used in virtually every non-trivial NGINX deployment worldwide. A public proof-of-concept (PoC) exploit was released on GitHub hours after disclosure, dramatically compressing the window for administrators to act.
“An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution. There is no authentication step, no prior access requirement, and no need for an existing session.”
β depthfirst security advisory
Root Cause: A State Mismatch Across Two Engine Passes
NGINX’s internal script engine handles rewrite directives using a two-pass architecture:
- Pass 1 (Length Calculation): A freshly zeroed sub-engine calculates how large the output buffer needs to be, then allocates that memory.
- Pass 2 (Data Copy): The main engine writes the actual data into the allocated buffer.
The critical failure occurs when a rewrite directive contains a question mark (?). This permanently sets an is_args = 1 flag on the main engine. However, the length-calculation sub-engine is zeroed β so it runs with is_args = 0 and does not account for URI escaping.
During the write pass, the main engine applies URI percent-encoding, which can expand a single byte into three bytes (e.g., a space becomes %20). The result: the write pass overflows the undersized heap buffer with attacker-controlled URI data. This heap overflow can corrupt adjacent memory structures in the NGINX worker process and, with precise exploitation, achieve remote code execution.
# Length pass uses sub-engine (is_args = 0)
allocated_size = raw_capture_length # e.g. 10 bytes
# Write pass uses main engine (is_args = 1 β URI escaping active)
bytes_written = escaped_length # e.g. 28 bytes β OVERFLOW!
# Result: writes 28 bytes into a 10-byte heap buffer
β Heap buffer overflow β memory corruption β potential RCEImportant nuance: The vulnerability is configuration-dependent. It requires the use of both a rewrite and a set directive in combination, with an unnamed PCRE capture group ($1, $2) and a replacement string containing ?. Not every NGINX installation is automatically exploitable β but this combination is extremely common in API gateway and application routing configurations.
Exploitation Chain: No Login Required
The depthfirst team demonstrated a full, reliable exploit chain using techniques that bypass NGINX’s memory protections:
An unauthenticated attacker sends a single crafted HTTP request to a route using the vulnerable rewrite + set configuration pattern. No credentials, session, or prior access needed.
Because NGINX forks worker processes from a master, the heap layout is deterministic across all workers. Attackers open a second connection to manipulate allocations so the victim pool lands adjacent to the attacker-controlled pool.
The overflow is used to overwrite the cleanup pointer in an adjacent ngx_pool_t structure. POST request bodies spray the payload since URI bytes cannot contain null bytes.
When the pool is destroyed, the corrupted pointer redirects execution to a fake cleanup structure invoking system() β achieving arbitrary command execution as the NGINX worker user.
On hardened systems with ASLR fully enabled, the realistic worst case may be a worker process crash (DoS) rather than full RCE. However, NGINX’s deterministic multi-process architecture significantly aids exploitation, and the researchers demonstrated reliable code execution in their PoC.
Affected Products & Versions
| Product | Affected Versions | Fixed In |
|---|---|---|
| NGINX Open Source | 0.6.27 β 1.30.0 | 1.30.1 / 1.31.0 |
| NGINX Open Source (legacy) | 0.6.27 β 0.9.7 | No fix planned |
| NGINX Plus | R32 β R36 | R32 P6 / R36 P4 |
| NGINX Instance Manager | 2.16.0 β 2.21.1 | Check F5 advisory |
| NGINX App Protect WAF | 4.9.0β4.16.0 / 5.1.0β5.8.0 | Check F5 advisory |
| NGINX Gateway Fabric | 1.3.0β1.6.2 / 2.0.0β2.5.1 | Check F5 advisory |
| NGINX Ingress Controller | 3.5.0β5.4.1 (various) | Check F5 advisory |
Note for distribution users: If you run a distribution-packaged NGINX (Ubuntu, Debian, CentOS, etc.), do not assume you are safe based on the package name alone. Confirm the actual NGINX version number with nginx -v.
Remediation & Mitigation
Upgrade Immediately
Upgrade to NGINX Open Source 1.30.1 or 1.31.0, or NGINX Plus R36 P4 / R32 P6. Restart the service after patching for the fix to take effect.
Use Named Capture Groups
Replace all unnamed captures ($1, $2) with named captures in vulnerable rewrite rules. This eliminates the trigger condition.
# VULNERABLE: unnamed capture + ? in replacement
rewrite ^/api/(.*)$ /v2/$1? last;# SAFE: named capture group eliminates the trigger
rewrite ^/api/(?P<path>.*)$ /v2/${path}? last;grep -rn 'rewrite' /etc/nginx/ | grep '\$[0-9]' | grep '?'Any output indicates a configuration that matches the trigger pattern and requires immediate attention.
# Confirm the installed version
nginx -v
# Test configuration syntax
nginx -t
# Reload/restart the service
systemctl restart nginxDisclosure Timeline
Vulnerable code introduced with NGINX 0.6.27. The bug lies dormant across all subsequent releases.
depthfirst’s autonomous analysis system scans the NGINX source code and detects four memory corruption issues, including CVE-2026-42945.
depthfirst reports all five identified issues to NGINX via a GitHub security advisory.
F5/NGINX confirms four of the five reported vulnerabilities.
depthfirst informs NGINX that a working RCE proof-of-concept has been developed.
depthfirst shares the RCE PoC with F5/NGINX along with a demonstration video.
F5 releases the coordinated advisory and patched versions. depthfirst publishes full technical write-up and PoC source code on GitHub.
PoC is publicly available. Active exploitation risk is high. Administrators must act immediately.
Why This Matters
NGINX powers an estimated one-third of all websites globally, serving as the reverse proxy, load balancer, API gateway, and Kubernetes Ingress layer of choice for cloud-native infrastructure. The rewrite module at the heart of this vulnerability is not an obscure feature β it underpins authentication boundaries, application routing, multi-tenant request handling, and legacy API migration paths across millions of production environments.
Three additional CVEs were disclosed alongside NGINX Rift: CVE-2026-42946 (CVSS 8.3, excessive memory allocation in ngx_http_scgi_module), CVE-2026-40701 (CVSS 6.3, use-after-free in ngx_http_ssl_module), and CVE-2026-42934. Administrators should treat this as a full upgrade event, not a single patch.
The fact that a critical RCE bug of this nature survived 18 years undetected β not because the code was obfuscated, but because the vulnerability only emerges from the interaction of three separate components β is a sobering reminder that traditional code review and fuzzing alone are insufficient for complex stateful systems.
CVE-2026-42945 is a real, critical, exploitable vulnerability with a public PoC. Upgrade NGINX Open Source to 1.30.1 or 1.31.0 or NGINX Plus to R36 P4 / R32 P6 immediately. If you cannot patch, audit your rewrite rules with the grep command above and migrate to named capture groups as a stopgap. Do not delay.
