A critical heap buffer overflow hiding in NGINX’s rewrite module for 18 years was publicly disclosed Wednesday, with security researcher “depthfirst” releasing full details of CVE-2026-42945 — a CVSS 9.2 flaw that allows unauthenticated remote code execution on servers running with ASLR disabled and reliable denial of service against any affected configuration. NGINX patched the vulnerability, dubbed “NGINX Rift,” in new versions released alongside the disclosure following responsible disclosure submitted on April 21, 2026.
CVE-2026-42945: Heap Buffer Overflow in NGINX’s Rewrite Module
The flaw resides in ngx_http_rewrite_module, a component introduced in NGINX version 0.6.27 in 2008. For 18 years it went undetected while the module became a near-universal fixture in NGINX deployments. Rewrite rules are among the most commonly used directives in NGINX configurations, handling URL manipulation, redirect logic, request routing, and conditional behavior — meaning any organization that has configured NGINX for anything beyond trivial static file serving is likely using the vulnerable component.
Depthfirst submitted the responsible disclosure to NGINX on April 21, 2026, initiating the coordinated patch cycle that culminated in Wednesday’s advisory.
Trigger Conditions, Affected Configurations, and Exploit Mechanics
The overflow activates under a specific but widely seen configuration: a rewrite directive followed by additional rewrite, if, or set directives that use unnamed PCRE captures — shorthand references like $1 or $2 — in replacement strings containing question marks. Unnamed captures of this form are a standard idiom in NGINX rewrite rules, particularly in configurations migrated from Apache or generated by control panels and deployment tools.
On systems where ASLR is disabled, the heap corruption provides exploit primitives shaped by attacker-controlled URI data, enabling unauthenticated remote code execution. On systems with ASLR enabled, the flaw still triggers reliable denial of service through NGINX worker process crashes that force restarts. Neither attack path requires credentials, valid session state, or any prior foothold on the target.
Additional CVEs Addressed in the Same Advisory
Three further vulnerabilities were patched in the same release. CVE-2026-42946, rated CVSS 8.3, addresses a memory allocation flaw in the SCGI and UWSGI proxy modules. CVE-2026-40701 (CVSS 6.3) covers a use-after-free in the SSL module. CVE-2026-42934 (CVSS 6.3) resolves an out-of-bounds read in the charset module. The breadth of the advisory — spanning the rewrite engine, two proxy modules, the SSL layer, and the charset subsystem simultaneously — indicates the NGINX Rift disclosure triggered a more systematic review of adjacent code areas rather than a narrow point fix.
Patching CVE-2026-42945 Across NGINX Open Source and NGINX Plus
NGINX Open Source versions 1.0.0 through 1.30.0 are affected; fixes are available in versions 1.30.1 and 1.31.0. NGINX Plus subscriptions running R32 through R36 are vulnerable, with patches backported to R32 P6 and R36 P4. Legacy builds spanning versions 0.6.27 through 0.9.7 will receive no patch; NGINX has not disclosed a fix timeline for those older releases, leaving operators of unsupported versions responsible for their own risk management.
The advisory scope extends beyond the core NGINX server to a range of enterprise products built on its internals: NGINX Instance Manager, NGINX WAF, NGINX DoS Protection, NGINX Gateway Fabric, and NGINX Ingress Controller each carry their own affected version ranges requiring separate patch verification.
For organizations unable to apply patches in an immediate maintenance window, a single interim mitigation is available: replace unnamed PCRE captures ($1, $2, and similar) in all affected rewrite directives with explicitly named captures. This configuration change eliminates the specific code path that triggers the heap corruption without requiring a service restart or version upgrade.
NGINX serves approximately 34% of all websites globally and operates as a foundational reverse proxy in enterprise Kubernetes environments. Any NGINX installation using rewrite rules with unnamed captures — a description that fits a large share of production deployments — falls within the scope of CVE-2026-42945. The combination of 18 years of undetected exposure, zero authentication required to exploit, and deployment at internet scale places this vulnerability at the top of security team patch queues for May 2026.
