Overview
The vulnerability known as CVE-2026-42945, nicknamed “NGINX Rift”, is a heap-buffer-overflow affecting the ngx_http_rewrite_module and reportedly existing since approximately 2008.
The flaw enables unauthenticated remote code execution in vulnerable NGINX deployments and has already triggered emergency patching efforts and mass scanning activity across exposed infrastructure.
Technical Details
The issue is classified as a heap buffer overflow in ngx_http_rewrite_module triggered through replacement strings inside rewrite, if and set directives using unnamed PCRE captures such as $1 and $2.
Under the right conditions, attackers may achieve unauthenticated remote code execution or trigger denial of service through worker crashes.
Affected versions reportedly include historical NGINX Open Source builds dating back to around 2008, alongside NGINX Plus, Ingress Controller deployments and related products.
How exploitation works
The vulnerability can be triggered through a specially crafted HTTP request designed to manipulate rewrite substitutions involving PCRE captures and special characters such as “?”.
The root cause involves an inconsistency between the internal length calculation phase and the actual copy phase performed during rewrite processing.
During the initial sizing phase, NGINX underestimates the amount of heap memory required for the processed string.
Later, during the copy operation, escaping routines expand additional bytes beyond the previously allocated buffer size.
This leads to heap corruption inside the NGINX worker process.
Overflow execution flow
The vulnerable scenario requires:
- Rewrite, if or set directives using unnamed PCRE captures
- Presence of the “?” character inside replacement strings
- Subsequent processing by the internal escaping engine
The attacker submits a crafted URI specifically designed to populate regex captures with controlled content.
The rewrite engine performs an initial sizing pass that incorrectly underestimates the final expansion size.
Based on that miscalculation, insufficient heap memory is allocated.
During the subsequent copy phase, escaping routines expand the payload beyond the expected size.
The result is a heap overflow capable of overwriting adjacent heap structures inside the worker process.
RCE conditions
The resulting heap corruption may lead either to worker crashes or remote code execution depending on the protections enabled in the target environment.
Factors such as ASLR, heap hardening, libc versions and compiler mitigations directly impact exploitation reliability.
Researchers demonstrated working proof-of-concept exploitation resulting in arbitrary code execution in environments with weakened protections.
Affected products
- NGINX Open Source
- NGINX Plus
- NGINX Ingress Controller
- NGINX Gateway Fabric
- F5 App Protect WAF
- Appliances and gateways embedding ngx_http_rewrite_module
- Third-party products embedding NGINX internally
Industry reports estimate that roughly one-third of web servers rely on NGINX, significantly increasing the potential exposure surface.
Detection and indicators
Observable indicators may include:
- Recurring worker crashes
- Segfaults involving nginx processes
- Unexpected core dumps
- Spikes in HTTP 500 responses
- Anomalous URIs involving rewrite payloads and special characters
- Unexpected processes spawned by the NGINX user
In monitored environments, abnormal worker recycling activity may serve as an early exploitation indicator.
Immediate mitigation
The primary recommendation is immediate deployment of official patches released for NGINX Open Source, NGINX Plus and related components.
Published fixes reportedly include versions such as NGINX Plus R32 P6 and R36 P4 alongside updated Open Source builds.
Where immediate patching is not possible, recommended temporary mitigations include:
- Blocking known exploit patterns through WAF rules
- Reviewing rewrite rules using unnamed captures
- Avoiding replacement strings containing “?” whenever possible
- Reducing nginx process privileges
- Isolating exposed critical services
- Performing rapid inventory of NGINX instances
Operational impact
Security teams should treat affected environments as potentially compromised until validation is completed.
In suspicious cases, recommended actions include heap memory analysis, nginx worker dump collection and detailed review of anomalous HTTP payloads.
Kubernetes environments using NGINX Ingress Controller should also be audited immediately.
Conclusion
CVE-2026-42945 highlights how subtle inconsistencies inside mature infrastructure components can still create severe operational risk across modern environments.
The potential impact across reverse proxies, ingress controllers, gateways and embedded appliances makes rapid inventory, remediation and post-patch validation essential.
