A critical vulnerability in the widely-used NGINX web server, cataloged as CVE-2026-42945, is now being actively exploited by attackers. Security researchers at VulnCheck detected exploitation attempts beginning on May 16, 2026, just three days after proof-of-concept code was made public. The flaw, which has been dubbed “NGINX Rift,” represents one of the most serious security issues to affect the web server in recent years.
Understanding the NGINX Vulnerability
CVE-2026-42945 is a memory corruption vulnerability residing in the ngx_http_rewrite_module. This module handles URL rewriting, a common feature used to redirect traffic or modify request paths. The bug is triggered when a specific configuration pattern is present: a rewrite directive using an unnamed regular expression capture (such as $1 or $2) combined with a replacement string containing a question mark, followed by another rewrite, if, or set directive. Under these conditions, NGINX miscalculates the buffer size needed to process the URI, leading to a heap overflow.
Because the bytes written past the allocated buffer come directly from the attacker’s controlled URI, the corruption is not random but shaped by the attacker. This deterministic nature makes the vulnerability particularly dangerous, as it allows for precise memory manipulation. While the immediate and most reliable impact is a denial-of-service (DoS) condition—crashing the worker process repeatedly—researchers have demonstrated that remote code execution (RCE) is possible if address space layout randomization (ASLR) is disabled on the target system.
It is important to note that not every NGINX deployment is vulnerable. The exploit requires the specific rewrite configuration to be present. Internet scans by Censys identified approximately 5.7 million NGINX servers running potentially vulnerable versions, but the actual number of exploitable instances is likely a much smaller subset. Nevertheless, given NGINX’s massive adoption as a web server, load balancer, and reverse proxy, even a fraction of that population represents a significant attack surface.
Affected Versions and Products
The vulnerability affects a wide range of NGINX versions, including NGINX Open Source from version 0.6.27 up to and including 1.30.0. On the commercial side, NGINX Plus versions R32 through R36 are vulnerable. In addition, several F5 products that embed NGINX are also impacted, such as the NGINX Ingress Controller, F5 WAF for NGINX, and F5 DoS for NGINX. The advisory from F5 provided detailed version numbers for each product.
The flaw was discovered by researchers at Depthfirst, a company specializing in AI-native vulnerability detection platforms. They identified five security issues in NGINX, with CVE-2026-42945 being the most critical. Depthfirst published technical details and a proof-of-concept exploit shortly after F5 released its patches, a move that is standard practice in responsible disclosure but also accelerates the timeline for attackers to develop their own exploits.
Exploitation in the Wild
According to Patrick Garrity from VulnCheck, their canary systems began detecting exploitation attempts on May 16. The effectiveness of these attempts varies depending on the target’s configuration and security posture. For default NGINX installations, achieving a denial-of-service state is straightforward and can cause worker processes to crash repeatedly, effectively taking the server offline for all hosted sites. While RCE is more difficult due to ASLR, security researcher Kevin Beaumont noted that if an attacker can find a way to disable ASLR—perhaps through another vulnerability or local access—then code execution becomes feasible.
The speed at which active exploitation began highlights the importance of rapid patching. Administrators are urged to assess their NGINX configurations to determine if they are using the vulnerable rewrite pattern. Even if a system is not exploitable for RCE, the DoS potential alone can disrupt operations.
Mitigation and Patches
F5 has released fixes for all affected products. For NGINX Open Source, the patched versions are 1.31.0 and 1.30.1. NGINX Plus users should upgrade to R36 P4 or R32 P6. F5 WAF for NGINX version 5.13.0 and F5 DoS for NGINX version 4.9.0 contain the fix. In addition to upgrading, F5 provided a configuration-based mitigation: using named captures (e.g., $named) instead of unnamed captures in rewrite directives. This simple change avoids the buffer miscalculation entirely.
Major Linux distributions have also responded swiftly. AlmaLinux, Ubuntu, and Debian developers have begun releasing patched nginx packages to their repositories. System administrators should check for updates through their package manager as soon as possible.
For organizations that cannot immediately patch, the mitigation using named captures can be applied to reduce risk. It is also advisable to review any custom rewrite rules that may match the vulnerable pattern and to monitor for unusual worker process crashes that could indicate exploitation attempts.
Background on NGINX and Its Importance
NGINX is the most widely deployed web server on the internet, powering millions of websites and applications. It is known for its high performance, scalability, and low resource consumption. Beyond serving web pages, it functions as a reverse proxy, load balancer, and HTTP cache. Its development is overseen by F5, the networking and application delivery company, which offers both an open-source version (NGINX Open Source) and a commercial version (NGINX Plus) with additional features and support.
Because NGINX sits at the entry point of many applications, any vulnerability in it can have a cascading impact. A successful denial-of-service attack can render entire online services unavailable, while potential remote code execution could allow attackers to pivot to internal networks, steal data, or deploy further malware. The CVE-2026-42945 vulnerability echoes past issues like the NGINX HTTP/2 and buffer overflow vulnerabilities, but the deterministic heap corruption makes it especially dangerous.
The research by Depthfirst using AI-driven vulnerability detection underscores a growing trend in cybersecurity: automated tools that can uncover subtle memory safety issues in complex codebases. This approach may lead to more vulnerabilities being discovered and disclosed at a faster pace, putting pressure on vendors to respond quickly and on administrators to maintain up-to-date systems.
In the broader context, the exploitation of NGINX vulnerabilities highlights the ongoing challenge of securing critical internet infrastructure. Many organizations rely on open-source software with long histories and large codebases, where bugs can persist for years. Regular patching, configuration review, and threat monitoring remain essential practices to mitigate such risks. The security community will be watching closely for any new developments or additional attack methods leveraging this vulnerability.
Source: Help Net Security News