NGINX Rift (CVE-2026-42945): An 18-Year-Old Heap Overflow in the World’s Most Deployed Web Server — Public Exploit Available Now

Sources: The Hacker News · BleepingComputer · CybersecurityNews · SOCRadar · depthfirst · Threat Landscape · F5 Official Advisory | CVE: CVE-2026-42945 | CVSS v4: 9.2 Critical | Discovered by: Zhenpeng (Leo) Lin, depthfirst | PoC: Public — GitHub | Disclosed: May 13, 2026

A bug in every NGINX since George W. Bush’s second term

NGINX was first released in 2004. By 2008 — version 0.6.27 — it had already earned a reputation as the fast, lightweight alternative to Apache. That same year, a subtle logic flaw was introduced into the ngx_http_rewrite_module, the component that powers URL rewriting and variable assignment across virtually every modern NGINX deployment. For 18 years, that flaw sat in the codebase, untouched and unnoticed, shipping in every stable release, every LTS branch, every cloud image, every container, and every hosting platform that ran NGINX.

On May 13, 2026, security researcher Zhenpeng (Leo) Lin of depthfirst disclosed CVE-2026-42945 — codenamed NGINX Rift — a critical heap buffer overflow that allows any unauthenticated remote attacker to crash NGINX worker processes and, under achievable conditions, execute arbitrary code. A public proof-of-concept exploit is now available on GitHub. F5, which acquired NGINX, released patches the same day. The fix covers NGINX Open Source 0.6.27 through 1.30.0 — effectively the entire history of NGINX deployments. NGINX powers approximately 34% of all websites on the internet. The scale of exposure is almost without precedent for a vulnerability of this severity.

Why this sat undetected for 18 years

The trigger for NGINX Rift is a configuration pattern that is, on its own, completely valid and widely deployed. The vulnerability does not exist in any single directive — it is the product of a state mismatch between two processing passes in NGINX’s internal script engine.

NGINX’s rewrite module processes URI rewrites in two passes. The first pass calculates how much memory to allocate. The second pass writes the actual data into that allocation. The bug is a state mismatch between these two passes: when a rewrite directive uses an unnamed PCRE capture group ($1, $2, etc.) with a replacement string containing a question mark (?), NGINX sets an internal is_args flag. During the first pass, memory is calculated using unescaped URI lengths. During the second pass, NGINX writes escaped data — where characters like + and & expand from 1 byte to 3 bytes (%2B, %26). The buffer allocated in the first pass is too small. The write overflows the heap.

This trigger condition appears frequently in production NGINX configurations, particularly in API gateway setups, reverse proxy routing, and SPA URL rewriting. Any large organization running NGINX at scale has a meaningful probability of having servers with this configuration active right now.

The exploit chain: unauthenticated, deterministic, and self-resetting

What makes NGINX Rift particularly dangerous is not just the heap overflow — it is that NGINX’s own architecture makes the exploit deterministically retryable at no cost to the attacker.

Step 1 — Trigger the heap overflow. A single crafted HTTP request containing URI-encoded characters that expand during escaping (+ → %2B, & → %26) causes the second-pass write to overflow the buffer allocated by the first pass. The overflow writes into adjacent memory.

Step 2 — Cross-request Heap Feng Shui. The key technique from depthfirst’s research: two TCP connections are opened simultaneously. The first connection uses an HTTP POST body to spray the heap with controlled data. The second connection triggers the overflow. Because NGINX allocates memory sequentially from pools, this coerces the allocator to place the victim pool directly adjacent to the attacker’s controlled data. Now the overflow lands on known, attacker-controlled memory.

Step 3 — Overwrite the cleanup handler. NGINX manages memory through ngx_pool_t structures. Each pool has a cleanup handler pointer at offset 64 that is called when the pool is destroyed. By overwriting this pointer through the controlled heap overflow, the attacker redirects code execution to an arbitrary function — specifically system() — when the request pool is cleaned up at the end of the request lifecycle. The result is arbitrary command execution as the NGINX worker process user.

Step 4 — Free unlimited retries via NGINX master-worker architecture. If an exploit attempt fails and crashes the NGINX worker, the NGINX master process immediately spawns a replacement worker with an identical memory layout. The attacker simply tries again. NGINX’s own resilience mechanism provides infinite free retries. This makes even ASLR-protected systems vulnerable to brute-force exploitation with enough attempts — and each failed attempt looks like normal NGINX worker recycling to external monitoring.

The complete four-CVE disclosure bundle

depthfirst’s April 2026 autonomous code audit of NGINX uncovered four separate memory corruption vulnerabilities, all disclosed together on May 13, 2026:

• CVE-2026-42945 (CVSS 9.2 Critical) — NGINX Rift. Heap buffer overflow in ngx_http_rewrite_module via two-pass state mismatch. Unauthenticated RCE or DoS. The lead vulnerability.
• CVE-2026-42946 (CVSS 8.3 High) — Excessive memory allocation in SCGI/UWSGI modules. An attacker with adversary-in-the-middle capability who controls upstream SCGI or UWSGI server responses can trigger ~1 TB allocations, crashing the NGINX worker. Requires scgi_pass or uwsgi_pass.
• CVE-2026-40701 (CVSS 6.3 Medium) — Use-after-free in ngx_http_ssl_module during asynchronous OCSP DNS resolution. Requires ssl_verify_client on/optional and ssl_ocsp on. Allows limited memory modification or worker restart.
• CVE-2026-42934 (CVSS 6.3 Medium) — Off-by-one out-of-bounds read in ngx_http_charset_module. Requires charset, source_charset, charset_map, and proxy_pass with buffering disabled. Can disclose memory contents or restart the worker.

How to check if you are affected

Run this command to scan all NGINX configuration files for the trigger pattern:

grep -rn '$[0-9]' /etc/nginx/ | grep '?'

Any output showing a rewrite directive with both an unnamed capture ($1, $2, etc.) and a ? in the replacement string is a potential trigger location. The affected version range is NGINX Open Source 0.6.27 through 1.30.0. Check your version with nginx -v. If you use distribution-packaged NGINX, do not assume safety based on package version alone — confirm the actual NGINX binary version, as distribution packages sometimes trail upstream releases significantly.

Remediation steps

1. Upgrade NGINX Open Source to 1.30.1 or 1.31.0 immediately. Debian/Ubuntu: sudo apt update && sudo apt upgrade nginx. RHEL/Rocky/Alma: sudo dnf update nginx. Alpine: apk upgrade nginx. Verify with nginx -v.
2. Upgrade NGINX Plus to R36 P4 or R32 P6. Log into MyF5, download the updated package for your distribution, apply, and reload.
3. Configuration workaround if you cannot patch immediately. Replace all unnamed PCRE capture groups with named captures in every rewrite directive. Change rewrite ^(.*)$ /new$1? last; to rewrite ^(?P<p>.*)$ /new$p? last;. This eliminates the trigger condition without upgrading.
4. Update container images and Kubernetes deployments. Pull nginx:1.31.0 or nginx:1.30.1 and redeploy. Pinned-version images will not auto-update.
5. Update NGINX Ingress Controller, Gateway Fabric, and Instance Manager. All are affected — check F5’s official advisory for per-product patch versions.
6. Deploy a WAF rule while patches are applied. Block requests to rewrite-enabled locations containing high concentrations of percent-encoded characters (%2B, %26, %20). Not a substitute for patching but reduces automated exploitation surface.
7. Review nginx error logs for elevated worker respawn activity. Multiple “worker process exited” entries in a short window from the same remote IP since May 13, 2026 should be treated as a potential exploitation attempt.
8. Watch for post-compromise signals. Unexpected outbound connections or shell activity from the nginx worker process indicate successful exploitation. Isolate, preserve forensics, and re-image.

The bigger picture: AI-assisted vulnerability discovery is compressing the detection window

depthfirst disclosed that CVE-2026-42945 was found during an autonomous AI code audit on April 18, 2026 — the same week XBOW’s autonomous AI built a working exploit for Exim’s Dead.Letter (CVE-2026-45185), and Google confirmed the first in-the-wild AI-generated zero-day. The depthfirst audit surfaced all four NGINX CVEs in a single session, finding vulnerabilities that survived 18 years of manual review, automated SAST tooling, and millions of hours of developer scrutiny.

The rate at which foundational vulnerabilities in critical internet infrastructure are being found by AI tooling is accelerating sharply. Three separate AI-assisted discoveries in the same week, across a mail server, a web server, and an actively exploited zero-day. The assumption that old, stable, widely-reviewed code is well-audited and safe is no longer defensible. The window between vulnerability introduction and discovery — historically measured in years — is collapsing. And once a PoC is public, the window between disclosure and exploitation is measured in hours.

Sources and further reading

• The Hacker News — 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
• BleepingComputer — 18-year-old NGINX vulnerability allows DoS, potential RCE
• CybersecurityNews — Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution
• SOCRadar — CVE-2026-42945: NGINX Rewrite Heap Overflow Enables Remote DoS & Potential RCE
• Threat Landscape — NGINX Rift CVE-2026-42945 Critical RCE Deep Dive
• Broadcom Tanzu — Critical NGINX RCE Vulnerability CVE-2026-42945

DataWater publishes a daily cybersecurity threat brief sourced from the most reliable security research organizations. Article #10 in the series — May 14, 2026. Previous briefs: Dead.Letter Exim RCE (May 13) · CVE-2026-0300 Palo Alto PAN-OS (May 13) · Google AI Zero-Day (May 13) · Copy Fail Linux LPE (May 4) · CVE-2026-3854 GitHub RCE (May 3) · BufferZoneCorp CI attack (May 2) · Cordial/Snarky Spider (May 1) · PyTorch Lightning (Apr 30).