NGINX Rift: Critical CVE-2026-42945 Exploitation Detected In-the-Wild

The NGINX Rift vulnerability (CVE-2026-42945) has seen active exploitation since May 16, leveraging a long-dormant heap buffer overflow for DoS and potential R…

Unauthenticated attackers have begun actively exploiting CVE-2026-42945—dubbed "NGINX Rift"—a vulnerability within the ngx_http_rewrite_module. Initial activity was detected by VulnCheck via canary systems on May 16, 2026, just 72 hours after Depthfirst published a proof-of-concept. This discovery has transformed a memory-unsafe flaw that lay dormant for nearly 18 years into an immediate operational crisis for the world's most widely used web server. The bug, a deterministic heap buffer overflow, leaves websites, APIs, and delivery infrastructures vulnerable to service disruptions or remote compromise, though it is limited to specific configurations using rewrite directives with unnamed regex captures and replacement strings containing the '?' character.

Key Takeaways

VulnCheck confirmed active in-the-wild exploitation starting May 16, 2026, following the release of a public PoC.
The vulnerability is a heap buffer overflow in NGINX's ngx_http_rewrite_module, existing in the codebase since 2008 and discovered by Depthfirst using an AI-native analysis platform.
The primary impact is a reliable Denial of Service (DoS) via worker process crashes; Remote Code Execution (RCE) is possible but requires specific configurations and the absence of ASLR.
While approximately 5.7 million NGINX servers are exposed online with potentially vulnerable versions, the subset of exploitable configurations is expected to be significantly smaller.

An 18-Year-Old Flaw in the Rewrite Engine

CVE-2026-42945 resides within NGINX’s ngx_http_rewrite_module and was introduced into the source code in 2008, starting with version 0.6.27. For nearly 18 years, this vulnerability remained latent within the URI rewrite engine—a core component of the open-source web server used globally for managing high-traffic websites, APIs, and static content delivery.

The flaw was identified by the team at Depthfirst, who utilized an AI-native platform for automated code analysis, and was responsibly reported on April 21, 2026. F5, the current maintainer of the project, subsequently issued a technical advisory and released updates for both NGINX Open Source and NGINX Plus. Major Linux distributions, including AlmaLinux, Ubuntu, and Debian, have since begun rolling out patched packages to their respective repositories.

The defect stems from a buffer size calculation error within the rewrite module's two-pass script engine. During the first pass, the engine estimates the space required to construct the rewritten URI. However, during the second pass, these assumptions change when unnamed regex captures are paired with a replacement string containing a '?' character and subsequent directives. This discrepancy allows for a deterministic write beyond the boundaries of the allocated heap area.

Exploitation Timeline: 72 Hours from Disclosure to Attack

The transition from public disclosure to active exploitation was remarkably swift. Shortly after F5 released its advisory, Depthfirst published detailed technical specifics and proof-of-concept code. Within approximately 72 hours, VulnCheck detected active exploitation attempts through its canary systems and honeypot networks, with the first confirmed hit recorded on May 16, 2026.

Observed attacks utilize specifically crafted HTTP requests designed to trigger the overflow on servers running vulnerable configurations. The identity and ultimate objectives of the threat actors remain unknown, though current operations range from preliminary reconnaissance to intentional crash loops aimed at degrading service availability.

Based on Censys queries, VulnCheck estimates that roughly 5.7 million NGINX servers exposed to the internet are running potentially vulnerable versions. However, researchers from the Initial Access team emphasize that the actual exploitable surface is likely much narrower, as it depends entirely on the presence of critical rewrite directives and the specific geometry of the incoming request.

Technical Breakdown: The Two-Pass Engine Heap Overflow

The technical core of the exploit leverages a deterministic heap buffer overflow where the attacker maintains direct control over the overflowing bytes. Depthfirst documentation reveals that the buffer size calculation in the first pass of the script engine relies on different assumptions than those used in the actual writing phase. This creates a precise undersizing condition when the replacement string includes a '?' and involves unnamed captures like $1 or $2.

In this scenario, the bytes written past the allocation are not random; they are derived directly from the input URI, which the attacker can mold. As researchers explained:

"The bytes written past the allocation are derived from the attacker’s URI, so the corruption is shaped by the attacker rather than random. Repeated requests can also be used to keep workers in a crash loop and degrade availability for every site served by the instance."

To escalate the overflow into Remote Code Execution (RCE), the proof-of-concept utilizes a sophisticated cross-request heap feng shui technique. The attacker corrupts the cleanup pointer of an adjacent ngx_pool_t structure, redirecting it toward a forged ngx_pool_cleanup_s that invokes system() during pool destruction. POST bodies are used for spraying to bypass the limitation that URI bytes cannot contain null bytes.

DoS vs. RCE: Assessing the Risk Perimeter

The impact of this vulnerability varies significantly across different environments. Denial of Service is highly reliable and immediate: an NGINX worker processing a malformed request in a vulnerable configuration will crash. Repeated requests can effectively keep an instance in a failure loop, degrading the availability of every site and API served by that instance.

Remote Code Execution, however, is heavily dependent on the target environment. F5, VulnCheck, and researcher Kevin Beaumont agree that converting this heap overflow into code execution is non-trivial on systems with Address Space Layout Randomization (ASLR) enabled—which is the default on all supported AlmaLinux releases.

AlmaLinux maintainers clarified: "Turning the heap overflow into reliable code execution is not trivial in the default configuration, and on systems with ASLR enabled... we do not expect a generic, reliable exploit to be easy to produce. That said, 'not easy' is not 'impossible,' and the worker-crash DoS is exploitable enough on its own that we recommend treating this as urgent."

This distinction is vital for prioritization: while RCE requires non-standard configurations or disabled protections, the threat of a reliable DoS is sufficient to warrant immediate intervention on all exposed instances.

Mitigation and Remediation Steps

Immediately audit NGINX configurations for rewrite directives using unnamed regex captures (e.g., $1, $2) where the replacement string contains a '?' followed by additional directives.
Apply updates from F5 for NGINX Open Source (versions 1.30.1 and 1.31.0) and NGINX Plus (R32 P6, R36 P4, 37.0.0), or use patched packages from Linux distributions like AlmaLinux, Ubuntu, and Debian.
Verify that Address Space Layout Randomization (ASLR) is active at the OS level, as it significantly increases the difficulty of executing a generic RCE exploit.
Monitor logs for anomalous HTTP requests targeting rewrite-heavy endpoints and consider implementing rate limiting or WAF rules to mitigate the risk of worker crash loops.

The speed with which the NGINX Rift proof-of-concept transitioned to active exploitation serves as a stark reminder that historical latency no longer provides safety.

A memory-unsafe vulnerability that was dormant for nearly two decades can become an operational emergency in less than a week, redefining the required reaction time for infrastructure administrators.

The lesson is not purely technical: web server configuration remains a critical and often overlooked attack surface where even common directives can mask critical flaws.

Frequently Asked Questions

Are all NGINX installations at risk?

No. The vulnerability only manifests in specific rewrite configurations involving unnamed captures and a '?' in the replacement string. Servers not utilizing this specific combination are not affected.

Is RCE practical on modern systems?

Technical consensus suggests RCE is difficult on systems with ASLR enabled, which is the default for major Linux distributions. The primary and immediate risk remains Denial of Service via worker crashes.

Which versions resolve the flaw?

F5 has released patches for NGINX Open Source 1.30.1 and 1.31.0, and NGINX Plus R32 P6, R36 P4, and 37.0.0. Linux vendors are also currently distributing updated packages.

Information has been verified against cited sources and is current as of the time of publication.