Overview of the NGINX Vulnerability
Attackers have begun actively exploiting a critical vulnerability in NGINX, one of the most widely used web servers and reverse proxies in the world. The flaw, tracked as CVE-2026-42945 and nicknamed "NGINX Rift," was disclosed just last week and has already drawn significant attention from security researchers and threat actors alike. The vulnerability resides in the ngx_http_rewrite_module and can be reliably exploited to cause a denial-of-service (DoS) condition, and in some scenarios, it may allow unauthenticated remote code execution (RCE).
Background on NGINX
NGINX is a high-performance web server that also functions as a load balancer, reverse proxy, and HTTP cache. It powers a substantial portion of the internet's busiest websites, including those of major corporations, cloud providers, and content delivery networks. The software is developed and maintained by F5, a networking and application delivery company. F5 offers both an open-source version (NGINX Open Source) and a commercial enterprise version (NGINX Plus), and it has integrated NGINX into several of its products, such as NGINX Ingress Controller, F5 WAF for NGINX, and F5 DoS for NGINX.
Given its widespread deployment, any critical vulnerability in NGINX has the potential to impact millions of servers and services. The current vulnerability is particularly worrisome because it can be triggered remotely without authentication, and the exploit does not require complex configuration to achieve a DoS effect. The researcher who discovered the flaw, Patrick Garrity of VulnCheck, reported that exploitation attempts began surfacing on May 16, just three days after the vulnerability and a proof-of-concept (PoC) exploit were made public by the discovery team at Depthfirst.
Technical Details of CVE-2026-42945
CVE-2026-42945 is a memory corruption bug that affects NGINX Open Source versions 0.6.27 through 1.30.0, and NGINX Plus versions R32 through R36. It also impacts some F5 products that incorporate NGINX. The bug is located in the rewrite module, a component used to manipulate URIs and perform URL rewriting. The issue arises from a mismatch in buffer size calculations when the module processes certain rewrite directives.
Specifically, the vulnerability is triggered when a common configuration pattern is present: a rewrite directive using an unnamed regex capture (like $1 or $2) and a replacement string that contains a question mark, followed by another rewrite, if, or set directive. Under these conditions, NGINX miscalculates the required buffer size for the rewritten URI, leading to a heap overflow. Attackers can send a specially crafted HTTP request to a vulnerable NGINX instance, causing the worker process to corrupt memory. The corruption is deterministic, meaning the attacker can shape the overflow by manipulating the URI.
According to the researchers at Depthfirst, who discovered the vulnerability using their AI-native detection platform, the overflow writes beyond the allocated buffer with bytes derived from the attacker's input. This allows the attacker to control the corruption's structure. In a default NGINX configuration, a successful exploit can cause the worker process to crash, resulting in a denial of service. Furthermore, by repeatedly sending such requests, an attacker can force a crash loop, making the affected service unavailable for all sites hosted on that instance.
Exploitation and Impact
While achieving remote code execution (RCE) is more challenging, it is not impossible. Both VulnCheck and independent security researcher Kevin Beaumont have noted that code execution becomes feasible if the attacker can first disable Address Space Layout Randomization (ASLR) on the target server. This might be done through a separate vulnerability or by exploiting misconfigurations. However, the primary risk for most organizations remains the denial-of-service vector, which can be executed reliably on any vulnerable NGINX instance that has the required rewrite configuration.
It is important to note that not every NGINX deployment is vulnerable. The dangerous configuration pattern must be present. A Censys scan revealed approximately 5.7 million internet-exposed NGINX servers running a potentially vulnerable version, but the truly exploitable population is likely much smaller. Still, the potential for RCE, even if limited, makes this a critical issue that requires immediate attention.
Affected Versions and Patches
F5 has released patches for all affected products. The fixed versions are:
- NGINX Open Source: versions 1.31.0 and 1.30.1
- NGINX Plus: versions R36 P4 and R32 P6
- F5 WAF for NGINX: version 5.13.0
- F5 DoS for NGINX: version 4.9.0
In addition to applying these updates, F5 has provided a mitigation that can be implemented without patching: replace unnamed regex captures (like $1, $2) with named captures in rewrite definitions. For example, using $<name> instead of $1 prevents the buffer calculation error. This workaround is effective and can be applied quickly to reduce risk.
Several Linux distributions, including AlmaLinux, Ubuntu, and Debian, have begun releasing patched nginx packages. System administrators are strongly urged to update their NGINX installations immediately or apply the mitigation steps if patching is not feasible.
Historical Context and Broader Implications
NGINX has a relatively strong security track record, but this vulnerability is among the most severe to affect the software in recent years. The fact that a PoC was released within days of the advisory, and that exploitation attempts followed almost immediately, underscores the importance of rapid patch management. The vulnerability also highlights the risks associated with complex configuration modules in widely used infrastructure software. The rewrite module, while powerful, can introduce subtle bugs that escape regular testing.
Organizations relying on NGINX should review their configurations for the vulnerable pattern. Even if a server runs a patched version, it is wise to adopt the recommended mitigation of using named captures as a defense-in-depth measure. Additionally, monitoring for signs of exploitation—such as unexpected HTTP request patterns or worker process crashes—can help detect attacks early.
The broader cybersecurity community has taken note. The vulnerability has been discussed extensively on mailing lists, social media platforms, and security blogs. The coordinated disclosure between F5 and the researchers at Depthfirst is an example of responsible vulnerability handling, though the quick public release of technical details and PoC triggered a race between defenders and attackers. As always, the window for proactive patching is shrinking, and organizations must act swiftly.
Recommendations for System Administrators
- Immediately upgrade to a patched version of NGINX Open Source or NGINX Plus as listed above. If using a Linux distribution, apply the latest package updates.
- If patching is delayed, implement the workaround by changing rewrite directives to use named captures. Review all configuration files that include rewrite rules.
- Monitor NGINX logs for anomalies, such as repeated worker process crashes or unusual HTTP requests containing question marks and regex patterns.
- Consider deploying a Web Application Firewall (WAF) with rules to block known exploit patterns for CVE-2026-42945, though this should not replace patching.
- Conduct a vulnerability scan across all internet-facing NGINX instances to identify potentially vulnerable versions. Tools like Censys or Shodan can help, but internal scanning is also critical.
The exploitation of this vulnerability is ongoing, and with the PoC publicly available, the risk will only increase in the coming days. Organizations that fail to act may face service disruption or, in worse cases, compromise of their infrastructure. The security community expects additional exploit variants to emerge, potentially targeting the RCE vector more aggressively.
In the meantime, administrators should also be aware of other recent vulnerabilities affecting web infrastructure, such as the WordPress plugin zero-day market and the TanStack supply chain compromise, but the NGINX issue requires the most urgent attention due to the widespread deployment and active exploitation.
Source: Help Net Security News