18-year NGINX Rift flaw enables unauthenticated RCE

Security researcher depthfirst disclosed a heap buffer overflow in NGINX’s ngx_http_rewrite_module on April 21, 2026. The issue, tracked as CVE-2026-42945 and dubbed NGINX Rift, carries a CVSS v4 score of 9.2 and can lead to remote code execution or a denial-of-service condition when exploited over HTTP.

F5, which maintains NGINX Plus and publishes security guidance for NGINX Open Source, described the fault as arising when a rewrite directive is followed by another rewrite, an if, or a set directive and the replacement string contains an unnamed PCRE capture such as $1 or $2 together with a question mark. A single crafted HTTP request can trigger a heap overflow in an NGINX worker process by supplying a malicious URI that forms the replacement data.

Depthfirst noted that bytes written past the allocated buffer are derived from the attacker’s URI, allowing the attacker to shape the memory corruption. On systems where Address Space Layout Randomization (ASLR) is disabled, the corruption can lead to remote code execution. On all affected systems, repeated crafted requests can force worker processes into crash loops, producing a denial-of-service that affects every site served by the instance.

F5 and NGINX published patches across multiple product lines. Fixes were introduced in NGINX Plus releases R32 through R36 (with patches in R32 P6 and R36 P4). NGINX Open Source releases addressing the affected 1.0.0–1.30.0 line are 1.30.1 and 1.31.0. Very old Open Source branches from 0.6.27 to 0.9.7 are listed with no fixes planned. Updates also cover NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF and DoS modules, NGINX Gateway Fabric, and the NGINX Ingress Controller across specific version ranges noted in vendor advisories.

Alongside CVE-2026-42945, NGINX Plus and Open Source received patches for three other vulnerabilities. CVE-2026-42946 (CVSS 8.3) is an excessive memory allocation issue in ngx_http_scgi_module and ngx_http_uwsgi_module that can let an attacker with adversary-in-the-middle capabilities control upstream responses to read or restart worker memory when scgi_pass or uwsgi_pass is used. CVE-2026-40701 (CVSS 6.3) is a use-after-free in ngx_http_ssl_module that can permit limited memory modification or worker restarts when ssl_verify_client is set to on or optional and ssl_ocsp is on. CVE-2026-42934 (CVSS 6.3) is an out-of-bounds read in ngx_http_charset_module that can disclose memory or restart workers when charset, source_charset, and charset_map directives are used together with proxy_pass where buffering is off.

Administrators are advised to apply the published updates from NGINX and F5 without delay. Where immediate patching is not feasible, depthfirst and F5 recommend a configuration workaround for CVE-2026-42945: replace unnamed PCRE captures in affected rewrite directives with named captures to avoid the vulnerable replacement path. Operators should also audit externally reachable NGINX instances and confirm that ASLR and other memory-hardening measures are enabled to reduce the chance that a heap overflow will lead to code execution.

NGINX is used as a web server, reverse proxy and load balancer in many internet and enterprise deployments. The disclosure prompted coordinated advisories and rapid patch releases across NGINX and F5 product lines. Depthfirst warned, “An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution.”