A critical NGINX vulnerability (CVE-2026-42945) disclosed last week is being actively exploited by attackers, according to security researchers. The flaw, which has been dubbed "NGINX Rift," affects both NGINX Open Source and NGINX Plus versions, as well as several F5 products that incorporate the software. Exploitation attempts have been observed in the wild, making it imperative for organizations to patch or mitigate the vulnerability as soon as possible.
Understanding NGINX and Its Role
NGINX is one of the most widely deployed web servers on the internet, serving as a cornerstone of modern web infrastructure. It is used by millions of websites for high-performance content delivery, load balancing, reverse proxying, HTTP caching, and as an API gateway. Its event-driven architecture allows it to handle tens of thousands of concurrent connections with minimal resource usage, making it the server of choice for many critical applications. Originally created by Igor Sysoev in 2004, NGINX is now overseen by F5 Networks, Inc., which maintains and releases the open-source version (NGINX Open Source) and offers a commercial version (NGINX Plus). F5 also integrates NGINX into its various application delivery and security solutions, such as the NGINX Ingress Controller for Kubernetes, F5 WAF for NGINX, and F5 DoS for NGINX.
Details of CVE-2026-42945
CVE-2026-42945 is a memory corruption vulnerability discovered by researchers at Depthfirst, who uncovered it using the company's AI-native vulnerability detection platform. The vulnerability resides in the ngx_http_rewrite_module, a module that handles URI rewriting rules. The bug can be triggered by sending a specially crafted HTTP request to a vulnerable NGINX instance. Specifically, the flaw occurs when a rewrite directive uses an unnamed regex capture (such as $1, $2) and the replacement string contains a question mark, followed by another rewrite, if, or set directive. When this configuration pattern is present, NGINX miscalculates the destination buffer size, assuming one set of escaping rules, but then writes the data using a different set of assumptions. This discrepancy causes the write operation to exceed the allocated buffer, resulting in deterministic memory corruption. Importantly, the data written past the allocation is derived from the attacker's URI, meaning the corruption is not random but shaped by the attacker. This can lead to a denial-of-service (DoS) condition by crashing the NGINX worker process, or potentially to arbitrary code execution if the attacker can also disable address space layout randomization (ASLR) on the target system.
Trigger Conditions and Exploitability
Not every NGINX instance is vulnerable to CVE-2026-42945. The exploit requires a specific rewrite configuration to be present on the server. This configuration must use unnamed regex captures and a replacement string containing a question mark, followed by another rewrite, if, or set directive. Without this pattern, the vulnerability cannot be triggered. However, many production environments use complex rewrite rules, and the necessary pattern may be more common than expected. A Censys search by VulnCheck identified approximately 5.7 million internet-exposed NGINX servers running a potentially vulnerable version, but the truly exploitable population is likely a much smaller subset of those. The vulnerability has been demonstrated to be reliably exploitable for DoS on default configurations, and there is proof of concept (PoC) code available publicly. Researchers have confirmed that remote code execution (RCE) is possible if ASLR is disabled on the target server, which is a less common but not unheard-of configuration in some environments. Additionally, an attacker can repeatedly send crafted requests to keep NGINX workers in a crash loop, effectively taking down any website or service served by the affected instance.
Affected Versions and Products
The vulnerability affects a wide range of NGINX versions. For NGINX Open Source, versions 0.6.27 through 1.30.0 are vulnerable. For NGINX Plus, versions R32 through R36 are impacted. Additionally, several F5 products that incorporate NGINX are affected, including NGINX Ingress Controller, F5 WAF for NGINX, and F5 DoS for NGINX. Users of these products should check the F5 security advisory for specific version numbers and patches. The vulnerability has a critical CVSS score due to its potential for remote code execution without authentication, as well as the ease of causing a denial of service.
Exploitation Timeline and Observed Activity
F5 released a security advisory and patches for CVE-2026-42945 on the same day the vulnerability was disclosed. Shortly after, the Depthfirst research team published technical details and a proof-of-concept exploit. According to Patrick Garrity from VulnCheck, canary systems began flagging exploitation attempts on May 16, 2026, just three days after the public disclosure. This rapid adoption of the vulnerability by attackers underscores the importance of immediate patching. The observed exploitation attempts have been varying in effectiveness depending on the target system's configuration. While DoS attacks are likely to succeed on many systems, achieving code execution requires additional conditions such as disabling ASLR, which may limit the scope of successful RCE attacks at this stage. However, the presence of active scanning and exploitation attempts suggests that attackers are actively probing for vulnerable instances.
Mitigation and Fixes
The primary mitigation provided by F5 is to use named captures (such as $name) instead of unnamed captures (like $1, $2) in rewrite definitions. This change prevents the memory corruption from occurring. However, the most effective solution is to apply the patches released by F5. The following fixed versions are available:
- NGINX Open Source: versions 1.31.0 and 1.30.1
- NGINX Plus: versions R36 P4 and R32 P6
- F5 WAF for NGINX: v5.13.0
- F5 DoS for NGINX: v4.9.0
In addition to F5's patches, several Linux distributions have begun releasing patched nginx packages. AlmaLinux, Ubuntu, and Debian have announced updates. Users who manage their own NGINX installations should upgrade to the latest patched version immediately. For users of NGINX Plus, the updated packages are available through the official F5 repository. It is also recommended to review rewrite configurations and replace any unnamed captures with named ones as an additional security measure, even after patching, to ensure that the vulnerable code path is never executed.
Background on Rewrite Module and Memory Safety
The ngx_http_rewrite_module is a powerful component of NGINX that allows administrators to perform URL rewriting based on patterns. This module is often used to create clean URLs, redirect users, or change request paths before they reach the backend application. The vulnerability highlights the challenges of memory safety in C-based software, where human errors in buffer size calculations can lead to critical flaws. Memory corruption vulnerabilities like this one are particularly dangerous because they can often be exploited for code execution, especially on systems without modern exploit mitigations. The use of AI-powered vulnerability detection by Depthfirst demonstrates how advanced tools can uncover subtle bugs that traditional static analysis might miss.
The discovery of CVE-2026-42945 also underscores the importance of fuzz testing and code review for software that handles untrusted input. Given that NGINX is exposed to arbitrary network requests by design, the existence of such a bug is highly concerning. The fact that it was found in such a widely used module emphasizes the need for continuous security research and proactive patching.
Source: Help Net Security News