CVE-2026-42945: Active Exploitation of NGINX Servers Underway

On May 16, 2026, VulnCheck’s canary sensors began detecting active exploitation attempts targeting CVE-2026-42945, a critical vulnerability in the NGINX rewrite module dubbed "NGINX Rift." These attacks surfaced just three days after Depthfirst researchers published a proof-of-concept (PoC), effectively eliminating the typical patching window for infrastructure utilizing NGINX as a web server, reverse proxy, or load balancer. The threat manifests as an immediate denial-of-service (DoS) and, under specific conditions, remote code execution (RCE) via specially crafted HTTP requests.

Technical Analysis: The Rewrite Module Heap Overflow

The vulnerability is rooted in buffer calculation errors within the ngx_http_rewrite_module, the component responsible for URI rewriting in NGINX. When a configuration employs a rewrite directive with unnamed regex captures ($1, $2) and the replacement string includes a question mark, the code incorrectly estimates the required buffer size during the escaping phase. The resulting allocated buffer is smaller than the string eventually written, leading to heap corruption within the worker process handling the request. This discrepancy between escaping assumptions and actual write operations is the core of the defect.

"A bug in the ngx_http_rewrite_module lets a remote, unauthenticated attacker corrupt the heap of an NGINX worker process by sending crafted URI. The trigger is a common configuration pattern: a rewrite directive with an unnamed regex capture ($1, $2) and a replacement string that contains a question mark, followed by another rewrite, if, or set directive"

The remote, unauthenticated nature of this vulnerability makes it particularly dangerous: any actor capable of reaching the server via HTTP can transmit a crafted URI to trigger corruption. The subsequent presence of another rewrite directive, an if block, or a set directive completes the execution chain required to write beyond buffer boundaries. Attackers do not need to interact with the underlying operating system; the malicious request alone is sufficient to compromise the NGINX process memory.

From PoC to In-the-Wild Exploitation: A Three-Day Window

The vulnerability was publicly disclosed as CVE-2026-42945, with the Depthfirst PoC demonstrating laboratory feasibility. According to VulnCheck, the first in-the-wild exploitation attempts were caught by canary systems on May 16, 2026—a window of only three days from the initial technical disclosure.

This rapid turnaround effectively eliminates the traditional lead time security teams use to test and deploy patches in production environments. For organizations relying on NGINX for web presence, reverse proxies, and load balancing, the gap between exploit availability and active targeting has shrunk to a level where responses must be automated rather than scheduled. The simultaneous disclosure of the technical mechanism and active exploitation leaves no room for long-term risk assessment.

Guaranteed DoS and Conditional RCE: Assessing Risk

On NGINX configurations utilizing the vulnerable rewrite pattern, the exploit guarantees at least a denial-of-service: a worker process crash interrupts the current request and can degrade overall node performance, particularly if the attack is repeated at scale. This scenario is reachable on installations using the combination of unnamed captures and question marks—a syntax found in many legacy configurations and some modern templates.

Remote code execution, however, is a more restricted possibility. Reports indicate that full server compromise requires ASLR (Address Space Layout Randomization) to be disabled on the target system. While this reduces the overall attack surface, it does not mitigate the criticality of the flaw. Kevin Beaumont and VulnCheck have noted that attackers can achieve RCE if they find ways to bypass or disable ASLR, shifting the focus from service exposure to underlying OS security.

The population of potentially exposed servers is significant but heterogeneous. A Censys query identifies roughly 5.7 million internet-facing NGINX servers running versions within the affected range. However, as VulnCheck’s Initial Access team clarified, the actually exploitable portion is much smaller and strictly dependent on the specific rewrite configuration that triggers the escaping mismatch.

Mitigation and Remediation Steps

Immediate countermeasures are available and, in the case of configuration-based mitigations, do not necessarily require kernel reboots or extended maintenance windows. Security teams should prioritize the following actions:

• Update to Patched Versions: F5 has released fixes in NGINX Open Source versions 1.31.0 and 1.30.1, as well as corresponding NGINX Plus releases. Installation is urgent for any node exposed to untrusted internet traffic.
• Adopt Named Captures in Rewrite Directives: Replacing unnamed regex captures ($1, $2) with named captures changes the rewrite module’s processing flow and removes the escaping mismatch trigger. This mitigation can be applied at the configuration level immediately without waiting for software upgrades.
• Inspect Logs and Monitor for Crashes: Audit logs for anomalous HTTP requests targeting crafted URIs and monitor for sudden worker process restarts. An uptick in rewrite module errors or out-of-memory messages may indicate active exploitation attempts.
• Address the DoS Risk: Even if RCE requires specific conditions, DoS is achievable on common configurations and causes immediate service disruption. Organizations should assume their servers can be taken offline by remote, unauthenticated HTTP requests.

The speed at which the "NGINX Rift" PoC translated into active exploitation confirms that the reaction window for administrators has narrowed to hours. Because the triggering rewrite configuration is common in web serving, immediate verification of production directives is imperative. For organizations managing millions of sessions via NGINX, the priority is no longer planning a future update, but executing it now to close an active attack window.

Frequently Asked Questions

Which NGINX versions are affected by CVE-2026-42945?

Affected versions of NGINX Open Source range from 0.6.27 to 1.30.0. NGINX Plus is vulnerable from releases vR32 through R36. F5 has provided patches in versions 1.31.0 and 1.30.1 to correct the rewrite module's escaping mismatch.

How do named captures technically block the exploit?

The bug stems from an escaping mismatch during buffer size estimation, specifically occurring with unnamed regex captures ($1, $2) and replacement strings containing question marks. Using named captures alters how NGINX calculates and handles rewrite variables, preventing the heap overflow condition without requiring binary code changes.

Have there been confirmed cases of RCE in the wild, or only DoS?

As of now, it is unconfirmed whether the attempts detected by VulnCheck have resulted in remote code execution on production systems. Documented exploitation currently points to memory corruption and denial-of-service. Conditional RCE remains a threat if ASLR is disabled on the target, which limits the probability of success but does not eliminate the need for patching.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://www.schneier.com/blog/archives/2026/05/copy-fail-linux-vulnerability.html
• https://www.helpnetsecurity.com/2026/05/18/ngnix-vulnerability-exploited-cve-2026-42945/
• https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.html
• https://www.darkreading.com/application-security/trustfall-exposes-claude-code-execution-risk