NGINX Rift: Active Exploitation of CVE-2026-42945 Detected In the Wild

In-the-wild attacks targeting CVE-2026-42945 (NGINX Rift) began on May 16, 2026. Security researchers analyze the critical heap buffer overflow vulnerability a…

NGINX Rift: Active Exploitation of CVE-2026-42945 Detected In the Wild

Active exploitation of a critical vulnerability in the NGINX web server, designated CVE-2026-42945 and dubbed "NGINX Rift," officially commenced on May 16, 2026. Confirmation came from VulnCheck’s canary systems, which intercepted the first compromise attempts just days after a proof-of-concept (PoC) was made public. The flaw exposes millions of servers to service disruptions and, in specific environments, Remote Code Execution (RCE).

With a CVSS score of 9.2, the vulnerability resides within the ngx_http_rewrite_module. Although triggering the flaw requires specific configurations, NGINX’s role as the backbone of modern web infrastructure makes this threat a top priority for security teams. From enterprise load balancers to reverse proxies, the attack surface spans nearly two decades of software evolution.

Key Takeaways
  • A heap buffer overflow in the ngx_http_rewrite_module allows unauthenticated remote attackers to corrupt memory via specially crafted URIs.
  • In standard configurations, the exploit triggers a worker process crash and restart, resulting in a persistent Denial-of-Service (DoS) condition.
  • If Address Space Layout Randomization (ASLR) is disabled, the flaw can escalate to Remote Code Execution (RCE), granting full control over the vulnerable server.
  • According to Censys queries, approximately 5.7 million NGINX instances are running potentially vulnerable versions, spanning a period of over 16 years.

Technical Origins: The Two-Pass Rewrite Engine Flaw

The technical root of NGINX Rift is a logic discrepancy in buffer size calculation during URI rewriting. The ngx_http_rewrite_module utilizes a script engine that processes directives in two distinct passes: the first pass calculates the memory required for the new string, and the second performs the actual data copy. The vulnerability occurs when an internal status flag fails to propagate correctly between these steps.

Specifically, when the engine encounters configurations using regular expressions with unnamed captures (such as $1 or $2 variables) and a replacement string containing a question mark, the length calculation can fail. If this sequence is followed by other directives like rewrite, if, or set, the system may write data beyond the boundaries of the previously allocated heap buffer. This memory corruption allows an attacker to manipulate the internal state of the worker process.

The discovery highlights a 16-year latency in the NGINX codebase. The fact that such a fundamental error remained silent since version 0.6.27 underscores the difficulty of identifying memory management flaws in high-performance systems. Even a codebase regarded as one of the most secure can harbor structural weaknesses that only surface under specific analysis of less common script engine execution paths.

DoS and RCE: The Dual Threat to Web Infrastructure

The impact of CVE-2026-42945 varies significantly based on the host system's configuration. On default installations, an exploit attempt causes a segmentation fault that crashes the worker process. While NGINX is designed to automatically restart failed workers, a sustained attack can saturate system resources, rendering the web service unreachable. This Denial-of-Service scenario is the most immediate threat detected by VulnCheck monitoring.

However, the more severe risk involves potential code execution. In systems where Address Space Layout Randomization (ASLR) is disabled, heap corruption can be exploited to hijack the execution flow, allowing an attacker to inject arbitrary commands. While there have been no confirmed reports of successful RCE in production yet, the technical possibility makes immediate updates critical for infrastructure security.

The "unauthenticated" nature of the attack means any entity with HTTP access to the server can attempt a compromise. In ecosystems where NGINX serves as a gateway to internal networks, a successful RCE could serve as a foothold for lateral movement. Perimeter protection now depends on the speed at which organizations can identify and patch vulnerable instances before attackers refine their exploitation techniques.

"We’re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published"
— Patrick Garrity, Researcher at VulnCheck

Global Exposure: 5.7 Million Servers Identified by Censys

The scale of the vulnerability is significant. An investigation conducted via the Censys platform revealed that roughly 5.7 million publicly exposed NGINX servers are running versions potentially affected by NGINX Rift. This figure includes both the Open Source version (0.6.27 through 1.30.0) and the commercial NGINX Plus edition (vR32 through R36). While not all these servers utilize the specific rewrite configuration required for the exploit, the breadth of the sample is telling.

The primary challenge lies in installation fragmentation. NGINX is frequently embedded in hardware appliances, container images, or legacy Linux distributions that do not receive frequent updates. Many of these 5.7 million hosts may remain vulnerable for months due to the difficulty of patching critical systems that require minimal downtime. The nature of edge infrastructure makes deploying fixes a complex logistical operation for large enterprises.

The Censys data highlights how the bug’s longevity allowed it to permeate almost every industry sector. From financial institutions to cloud service providers, NGINX is ubiquitous. System administrators must now determine if their rewrite configurations match the dangerous patterns identified by researchers, turning a technical vulnerability into a large-scale global operational burden.

From PoC to Offensive: The 72-Hour Window

The speed of the transition from theory to active exploitation is concerning. A proof-of-concept was released by researchers at Depthfirst, and within approximately 72 hours, the first real-world attacks were recorded. This compressed timeline demonstrates that threat actors are constantly monitoring security repositories to automate the deployment of new exploits. The defensive window has shrunk drastically, requiring immediate response cycles.

Depthfirst researchers described the attack as a method to corrupt the heap by sending a carefully crafted URI. This simplicity has led to rapid adoption by mass-scanning groups. Once an exploit is integrated into automated scanning scripts, the entire vulnerable internet surface is targeted almost instantly, often outpacing the manual reaction capabilities of IT security teams.

This dynamic emphasizes the importance of proactive monitoring. Without VulnCheck’s canaries, the start of in-the-wild exploitation on May 16 could have gone undetected for days. Timely notification of malicious activity is now an essential tool for driving organizations toward the accelerated patching cycles necessary to counter exploits that hit the market nearly simultaneously with official technical analyses.

Recommended Response Actions

  • Immediate Software Updates: It is critical to upgrade NGINX Open Source to versions 1.31.0 or 1.30.1. NGINX Plus users should immediately apply the official patches released by F5 for the affected versions.
  • Audit Rewrite Configurations: Inspect configuration files for rewrite directives that use unnamed regex captures (e.g., $1, $2) alongside strings containing question marks. If found, these lines must be prioritized for modification or removal.
  • Verify ASLR Protection: Ensure that Address Space Layout Randomization is enabled at the operating system kernel level. While this does not prevent process crashes (DoS), it serves as the primary barrier against Remote Code Execution (RCE) attempts.
  • Monitor Error Logs: Implement specific alerts for NGINX worker process crashes. An unusual spike in worker restarts, combined with URIs containing anomalous special character sequences, may indicate ongoing exploitation attempts.

The NGINX Rift emergency is not an isolated event but a warning regarding the fragility of core components of global web traffic. With millions of servers at risk and attacks already underway, technical response speed will determine an organization's ability to avoid critical disruptions. Proper memory management and vigilance over legacy configurations remain the irreplaceable pillars of perimeter defense in the current threat landscape.

The information in this report has been verified based on technical analyses from VulnCheck and Depthfirst and is current as of the latest detection of in-the-wild attacks.

All information was verified against cited sources and was accurate at the time of publication.

Sources