CRITICAL: 18-Year-Old NGINX Rift Vulnerability (CVE-2026-42945) Lets Unauthenticated Attackers Hijack the World's Top Web Server

Pour one out for the assumption that mature open-source code is safe code. CVE-2026-42945, dubbed NGINX Rift by the researcher who unearthed it, is a heap-based buffer overflow in the venerable ngx_http_rewrite_module that has been sitting quietly in NGINX since version 0.6.27. That release dropped in 2008. The vulnerability scored a 9.2 on the CVSS v4 scale, carries the worst kind of unauthenticated remote attacker prefix, and impacts what is by most measurements the most widely deployed web server on the internet. If you operate anything fronted by NGINX, and statistically you probably do, this one belongs at the top of your patching queue today.

The flaw was disclosed publicly yesterday by Zhenpeng Lin of depthfirst, who had been responsibly working with F5 since April 21. F5 cut patched releases of NGINX Open Source 1.30.1 stable and 1.31.0 mainline, along with NGINX Plus R32 P6 and R36 P4. A working proof-of-concept is now on GitHub under the DepthFirstDisclosures Nginx-Rift repository. The clock is ticking, and the window between disclosure and weaponization on a CVSS 9.2 bug with public exploit code tends to be measured in hours.

The technical root cause is genuinely elegant, in the same way a hairline crack in a dam is elegant. NGINX's rewrite module compiles its directives into bytecode that runs through a two-pass execution engine. The first pass calculates how much memory the rewritten URI will need. The second pass actually writes the bytes. The two passes are supposed to agree on the math. They do not, in a specific and exploitable way.

Here is what trips it. When a rewrite directive contains a query string delimiter, that humble question mark, NGINX flips an internal is_args flag that tells later operations how to handle the URI. If a subsequent rewrite directive in the same location block references an unnamed PCRE capture group, the $1 or $2 syntax that pulls matched text out of the previous regex, the second pass evaluates the captures against a slightly different state than the first pass anticipated. The result is that the size calculator underestimates how many bytes will be written. The writer then walks past the end of its heap allocation and corrupts whatever happens to be next door.

Lin's research paper makes the part that should give every red team a smile and every blue team a sinking feeling. The overflow bytes are not random heap padding or stack canaries. They come straight from the attacker's URI. In other words, an attacker who can shape an HTTP request can shape the heap corruption itself. That is the difference between a denial-of-service primitive and a code-execution primitive. NGINX worker processes are notoriously predictable with their heap layout, with deterministic allocation patterns for buffers, slabs, and connection state. Lin demonstrated reliable code execution on Linux x86_64 builds, and the public PoC reproduces the chain end to end.

Affected versions are sweeping. NGINX Open Source from 0.6.27 all the way through 1.30.0 is vulnerable. That covers essentially every NGINX release shipped in the last 18 years. NGINX Plus is affected from R32 through R36. Worse, the rewrite module is one of the most commonly used components of NGINX configurations in the wild. If you have ever pointed example.com slash old-page to example.com slash new-page with a regex, you are using the module. Ingress controllers built on NGINX, including the community ingress-nginx project, F5's NGINX Ingress Controller for Kubernetes, and several commercial API gateway distributions in the 3.5.0 to 5.4.1 range, inherit the flaw because they shell out to the same underlying worker code.

Exploitation in the wild has not been confirmed by F5 or CISA as of this writing. That window closes fast when public PoC code is available. The exploit is shaped enough that any competent attacker can wire it into Metasploit or a custom scanner within a day, and the prerequisite is simply finding a server whose configuration contains a rewrite with a query delimiter and an unnamed capture. Reverse proxy configurations, content management system rewrites, and any URL canonicalization rule that uses regex are likely candidates. Mass scanning is trivial because the trigger does not require authentication, valid sessions, or specific HTTP verbs.

So what do you actually do today. The clean answer is upgrade. NGINX Open Source users running the mainline branch should move to 1.31.0, and stable branch users should jump to 1.30.1. NGINX Plus subscribers should pull R32 P6 if they are on the long-term support train, or R36 P4 if they track the current release. F5 made the patches available simultaneously with the disclosure, and they are dropped into the standard package repositories, which means most apt and yum based deployments need a single update and a graceful reload of the worker pool. Kubernetes operators running ingress-nginx should check the controller's bundled NGINX version, documented in each release note, and roll to a controller image that ships the patched build. Helm chart users will find the version bump in the official chart repository within hours of this writing.

If you cannot patch in the next few hours, F5 published a configuration-side mitigation that genuinely works. Replace any unnamed capture group in your rewrite directives with named captures. Where you previously had a regex like (.*) followed by $1 in the replacement, switch to a named-group syntax such as (?P.*) and reference (?P=path) instead. The named-capture code path uses a different evaluator that does not exhibit the size miscalculation. The catch is that this requires auditing every server block, location block, and included configuration fragment your NGINX instance loads. For a small site this takes ten minutes. For a large enterprise NGINX deployment with hundreds of vhosts, it takes a week, and that is exactly why you should patch instead of mitigating.

On the detection side, the vulnerability does not produce a distinctive signature in NGINX's access log because the attacker controls the request and the response is generated by a worker that may or may not crash gracefully. Watch the error log for worker process killed by signal 11 entries, especially in clusters. A single worker crash in NGINX is unremarkable and often gets respawned by the master process, but a sudden surge across multiple workers strongly suggests scanning or exploitation. If you run a WAF in front of your NGINX layer, write a rule that flags HTTP requests containing both a question mark and a regex-style backreference syntax in the path portion of the URI, which is a deeply unusual pattern in legitimate traffic. Endpoint telemetry helps too, since most EDR vendors will be pushing detections for the public PoC payload as it spreads.

The broader lesson here is the one that never seems to stick. Heap overflows in mature C codebases are not a solved problem. The NGINX project has excellent code hygiene, an active maintainer community, and a strong security track record. CVE-2026-42945 still sat undetected for nearly two decades because the bug only manifests at the intersection of two features that look fine when audited independently. Memory-safe languages, fuzzing harnesses targeted at parser interactions, and configuration linters that flag risky directive combinations are all worth investing in, but at the operational level the takeaway is simpler. The software running your perimeter needs a patch SLA, not a patch wish.

For MSPs, this is the kind of vulnerability that writes its own pitch deck. Roughly one in three of the top one million websites run NGINX according to recurring Netcraft surveys, which means almost every client portfolio you maintain has skin in this game. Every customer who hosts anything on a Linux VPS, runs a Kubernetes cluster, or operates a reverse proxy in front of their application servers needs to be checked, advised, and ideally patched today. A two-hour emergency engagement to audit and update NGINX across a mid-sized client estate is an easy sell when the alternative headline is small business pwned by 18-year-old web server bug. This is also a natural lead-in to a managed patching service or vulnerability scanning subscription, since the next NGINX Rift will surface in some other piece of infrastructure your clients have been quietly running for a decade.