CVE-2026-42945 (NGINX Rift): Critical Heap Buffer Overflow in the Rewrite Module

NGINX powers a substantial part of the modern web. It serves as the reverse proxy behind some of the highest-traffic applications on the planet, the ingress controller in millions of Kubernetes clusters, and the core of commercial products like NGINX App Protect and F5 WAF. On May 13, 2026, security researchers from DepthFirst Disclosures published details on CVE-2026-42945, a critical heap buffer overflow they named NGINX Rift. This vulnerability has existed undetected inside NGINX since 2008, affects every major release up to and including 1.30.0, and comes with a working proof-of-concept exploit already available to the public. The CVSS v4.0 score is 9.2.

The attack requires no authentication. A single crafted HTTP request is sufficient to crash the NGINX worker process. On systems where ASLR is disabled, remote code execution inside the worker process has been demonstrated. This is not a low-probability edge case. It is a deterministic, reproducible vulnerability in one of the most deployed pieces of software infrastructure in existence. If your organization runs NGINX, this article covers everything you need to address before your next maintenance window.

What Is NGINX Rift and How Did It Stay Hidden for 18 Years?

NGINX Rift is a heap buffer overflow in ngx_http_rewrite_module, the core NGINX module responsible for URL rewriting, redirects, and conditional request handling. The module is not an optional add-on. It is compiled into the NGINX binary by default and is actively used by nearly every production NGINX configuration that performs any kind of request routing beyond simple file serving.

The reason this flaw remained undetected for nearly two decades comes down to the specificity of the trigger condition. The overflow does not occur during routine URL rewriting. It only manifests when a very particular combination of directive types and PCRE capture syntax appears together in the same configuration block. Most NGINX installations use rewrite rules, but the exact conjunction required to trigger the overflow is less common in default or simple configurations, which meant it passed through years of code reviews, security audits, and fuzz testing without being caught.

The Root Cause: A Two-Pass Size Mismatch

When NGINX processes a rewrite directive, it performs two separate passes over the replacement string. The first pass calculates how much heap memory to allocate for the output buffer. The second pass performs the actual write into that buffer. These two passes use different string-escaping logic.

The problem occurs when three conditions are met simultaneously:

1. A rewrite directive uses unnamed PCRE captures (the positional references $1, $2, etc.)
2. The replacement string in that directive contains a literal question mark (?)
3. The rewrite directive is followed by another rewrite, if, or set directive in the same block

Under these conditions, the first pass calculates a buffer size based on one escaping method. The second pass writes data using a different method, one that expands certain characters. The characters +, %, and & each expand into multi-character sequences during re-escaping. Since the buffer was sized for the smaller pre-expansion form, the write operation extends past the end of the allocated region.

The following configuration snippet illustrates the vulnerable pattern:

rewrite ^/search/(.+)$ /index.php?q=$1 last;
rewrite ^/index.php$ /app/handler break;

The unnamed capture $1, the question mark in the replacement, and the chained rewrite directive create the exact trigger. An attacker who sends a request containing characters that expand during re-escaping can reliably trigger the overflow.

Technical Insight: The overflow is deterministic, not probabilistic. Given a matching configuration and a specifically crafted request, the overflow occurs every time. This characteristic makes it significantly more dangerous than race-condition-based vulnerabilities, which require precise timing to exploit.

Affected Versions and the Full Blast Radius

CVE-2026-42945 affects an extraordinarily wide range of software. The bug was introduced in NGINX 0.6.27, released in 2008, and has persisted through every subsequent release without modification.

NGINX Open Source

Every version of NGINX Open Source from 0.6.27 through 1.30.0 is vulnerable. This encompasses approximately 18 years of releases and represents the vast majority of self-hosted NGINX installations worldwide. The fixed releases are 1.30.1 (stable branch) and 1.31.0 (mainline branch).

NGINX Plus and the Broader Ecosystem

NGINX Plus from R32 through R36 is affected. Patched commercial versions are R32 P6 and R36 P4. Beyond the NGINX binary itself, the following products inherit the vulnerability because they embed the same vulnerable module:

• NGINX Ingress Controller: Routes external traffic into Kubernetes clusters
• NGINX Gateway Fabric: Implements Kubernetes Gateway API with NGINX as the data plane
• NGINX App Protect WAF: Application firewall built directly on NGINX
• F5 WAF for NGINX: Commercial WAF offering from F5
• F5 DDoS protection products: Where NGINX serves as the request processing layer

This creates a critical gap in patch management: an organization can patch its standalone NGINX instances and still remain exposed through its WAF, ingress controller, or gateway fabric if those products are not separately updated. Each product has its own release cycle and its own container image that requires rebuilding.

Scenario: A security team performs a thorough NGINX binary audit across all servers, confirms every standalone instance is patched, and closes the incident ticket. Meanwhile, their Kubernetes cluster continues running an unpatched NGINX Ingress Controller image because it is managed by a separate platform team and was not included in the initial scope. The blast radius of CVE-2026-42945 demands a cross-team inventory, not a single-team check.

How the Exploit Works

The exploitation path is unusually direct. An attacker who can send HTTP requests to a server running vulnerable NGINX with the exploitable configuration pattern needs nothing beyond network access to the endpoint. No credentials, no cookies, no prior session, and no application-level knowledge are required.

The crafted request contains a URL path that matches a vulnerable rewrite directive and query parameters with characters that expand during re-escaping. NGINX processes the request, runs the two-pass buffer calculation, and writes past the end of the allocated heap region.

• Worker process crash (DoS): Occurs reliably regardless of ASLR state. The corrupted heap data terminates the worker process. The master process restarts the worker automatically, but all in-flight requests are dropped and a brief capacity reduction occurs.
• Remote Code Execution: Demonstrated by DepthFirst Disclosures on systems with ASLR disabled. The attacker uses the heap overflow to overwrite function pointers or other control-flow data, redirecting execution to attacker-controlled code running inside the worker process.

The public proof-of-concept repository at github.com/depthfirstdisclosures/nginx-rift includes working exploit code demonstrating the DoS path and documenting the RCE path for ASLR-disabled environments. This significantly lowers the technical barrier for exploitation.

Production Architecture Scenario: Kubernetes Ingress Under Attack

A Kubernetes cluster uses the NGINX Ingress Controller with the following annotation in an ingress resource for a path-based routing rule:

nginx.ingress.kubernetes.io/rewrite-target: /api/$1?source=ingress
nginx.ingress.kubernetes.io/use-regex: "true"

This annotation generates a rewrite directive with an unnamed capture and a question mark in the replacement, exactly matching the trigger condition. An attacker identifies the NGINX version through a server response header. They send a crafted request to the exposed ingress endpoint. The ingress controller pod crashes. Kubernetes restarts it after a few seconds, but the attacker sends another crafted request as soon as the pod passes its readiness probe. With three ingress replicas, the attacker can cycle through all of them simultaneously, maintaining a persistent denial of service against the cluster ingress layer.

Mini-Summary: Single unauthenticated HTTP request triggers the overflow. DoS is reliable on all affected systems. RCE is demonstrated on ASLR-disabled systems. Public PoC is available. No prerequisite knowledge of the target application is needed beyond reaching the endpoint.

Risk Assessment: Reading the CVSS Score Correctly

The CVSS v4.0 score of 9.2 (Critical) reflects a low-complexity attack with no required privileges, high potential impact on availability, and conditional impact on integrity and confidentiality via RCE. Understanding the actual risk requires more nuance than the score alone provides.

The critical insight from this table is that exploitability in practice depends on the configuration, not just the version. However, given how prevalent complex rewrite logic is in production environments, the safe assumption is that the vulnerable pattern exists until it has been verified otherwise.

Remediation: What to Do and When to Do It

Primary Fix: Version Upgrade

The complete and permanent resolution is a version upgrade. The patched releases are:

• NGINX Open Source: Upgrade to 1.30.1 (stable) or 1.31.0 (mainline)
• NGINX Plus: Upgrade to R32 P6 or R36 P4
• NGINX Ingress Controller, Gateway Fabric, App Protect WAF: Pull updated container images from the official F5/NGINX registry and redeploy

The binary upgrade is operationally low-risk. For standalone deployments, replacing the NGINX binary and running nginx -s reload completes a graceful reload: existing connections are handled by old worker processes until they complete, while new connections are routed to updated workers. There is no forced disconnect. For containerized deployments, a Kubernetes rolling update replaces pods one at a time with continuous health checking, achieving zero-downtime patching assuming proper readiness probe configuration.

Temporary Mitigation: Named Captures

If an immediate upgrade cannot be scheduled, eliminate the trigger condition by replacing unnamed captures with named captures throughout your rewrite directives:

# Vulnerable
rewrite ^/api/(.+)/data$ /backend/index.php?path=$1&format=json last;
rewrite ^/backend$ /app/handler break;

# Safe: named capture eliminates the trigger
rewrite ^/api/(?P<seg>.+)/data$ /backend/index.php?path=${seg}&format=json last;
rewrite ^/backend$ /app/handler break;

This change removes the positional reference that creates the size-mismatch condition. The behavior of the rewrite rule is identical from the perspective of the application. The change requires auditing every rewrite directive in every included configuration file, including files under conf.d/, sites-enabled/, and any dynamically generated configuration files produced by Helm charts, operators, or CMS systems.

Technical Insight: Do not attempt to block this vulnerability at the WAF or CDN level. The exploit payload is not a recognizably malicious HTTP structure. It triggers a memory-safety issue in NGINX internal configuration processing logic, not in the observable HTTP content. Pattern-matching rules at the network or application layer cannot reliably distinguish exploit requests from legitimate traffic.

Common Mistakes Teams Make When Responding to CVEs Like This

The most damaging mistake is scoping the patch effort to customer-facing infrastructure only. Internal NGINX instances serving developer tooling, monitoring dashboards, internal APIs, or CI/CD webhooks are equally vulnerable. In a post-initial-compromise scenario, an attacker who has already established a foothold on an internal network can use a vulnerable internal NGINX instance as a pivot point or escalation vector.

A second error is assuming container images update automatically. A running Kubernetes workload uses whatever container image was specified at deployment time. Executing docker pull nginx:latest only updates the local image cache; it does not update running pods. Patching NGINX in a Kubernetes environment means updating the image reference in the deployment manifest and triggering a rollout. Teams that did not pin image tags to specific versions face an additional challenge: they need to identify which version is actually running in each deployment before confirming it has been patched.

Third, many teams audit their top-level nginx.conf and miss the vulnerable pattern in included files. A production NGINX instance commonly includes dozens of virtual host configuration files from sites-enabled/ or route-specific fragments from conf.d/. A complete audit requires examining every file in the configuration tree, not just the entry point.

Fourth, when the named-capture mitigation is applied to running configurations rather than configuration templates, the next automated deployment may overwrite the mitigation with the original vulnerable template. Teams using infrastructure-as-code or GitOps workflows must apply the mitigation at the template or Helm chart level, not just in the running configuration.

Performance Considerations During the Patch Deployment

The 1.30.0 to 1.30.1 upgrade is a security-only patch release. No behavioral changes, no new features, no modified configuration semantics. Post-upgrade NGINX performance is identical to pre-upgrade. There is no valid performance-based argument for delaying this patch.

For large-scale deployments managed through configuration management tools like Ansible, Chef, or Puppet, the upgrade can be automated with staged rollouts: patch a percentage of instances, monitor error rates and response times for a defined period, then continue. This approach balances patch urgency against operational caution for high-traffic systems.

One genuine operational consideration for high-traffic environments: on configurations with very large upstream pools or complex configuration trees, the nginx -s reload operation involves re-reading and validating the entire configuration. This can take several seconds in extreme cases, during which new connection acceptance may queue. This is existing NGINX behavior, unchanged by the patch. Include it in rollout runbooks for high-traffic environments where connection queuing during reload has been observed previously.

Frequently Asked Questions

Is CVE-2026-42945 exploitable on systems where ASLR is enabled?

Yes, with the impact limited to denial of service. The heap overflow deterministically crashes the NGINX worker process regardless of ASLR state. Every HTTP request handled by that worker at the time of the crash is dropped, and the worker must restart before processing continues. Remote code execution has been demonstrated specifically against systems with ASLR disabled. Systems with ASLR enabled on modern Linux distributions face a real DoS risk but a significantly lower RCE risk.

How can I determine whether my specific NGINX configuration is actually exploitable?

Audit every rewrite directive across all included configuration files. You are looking for this specific combination: (1) an unnamed PCRE capture reference ($1, $2, etc.) appearing in the replacement string, (2) a literal question mark (?) also present in that replacement string, and (3) at least one additional rewrite, if, or set directive following the affected directive in the same server or location block. All three conditions must be present for the trigger to exist. If none of your rewrite directives match this pattern, the vulnerability cannot be exploited against your installation even if the version is within the affected range.

Does this vulnerability affect NGINX used exclusively as a static file server?

If the configuration contains no rewrite, if, or set directives that process user-controlled input, the exploitable trigger condition does not exist. A minimal static file server configuration is not exploitable. That said, configurations grow over time, and upgrading to the patched version remains the recommended action regardless of current configuration state.

My Kubernetes cluster uses a managed NGINX ingress. Does my cloud provider handle the patch?

It depends on the deployment model. Cloud providers like AWS, GCP, and Azure manage their Kubernetes control planes, but workloads running on those clusters, including self-managed NGINX Ingress Controller deployments, are the operator's responsibility. If you deployed the NGINX Ingress Controller yourself via Helm or a Kubernetes operator, you are responsible for updating it. If you are using a provider-native ingress class that is fully managed by the cloud provider, check the provider's security bulletin to confirm whether the patch has been applied on your behalf.

Conclusion

CVE-2026-42945 is a textbook example of a vulnerability that combines broad reach, low exploitation complexity, and high availability impact. Eighteen years of undetected exposure, a CVSS score of 9.2, and a public proof-of-concept exploit that demonstrates unauthenticated worker crashes make this a response-now situation. The fix is operationally straightforward, the upgrade is low-risk, and the temporary named-capture mitigation can be implemented without any service downtime.

Take an inventory of every NGINX instance across your entire infrastructure today, including internal services, Kubernetes ingress controllers, WAF appliances, and edge proxies. Audit each configuration for the vulnerable rewrite pattern. Apply the named-capture mitigation immediately on any instance that cannot be upgraded in the near term. Then complete the version upgrade before this vulnerability transitions from a newly disclosed critical CVE to a known exploited vulnerability in active campaigns.

Follow Nippysoft for ongoing technical coverage of high-impact CVEs and security vulnerabilities affecting software infrastructure.

References

• CVE-2026-42945 — NVD Detail: nvd.nist.gov/vuln/detail/CVE-2026-42945
• NGINX Official Security Advisories: nginx.org/en/security_advisories.html
• DepthFirstDisclosures — Nginx-Rift PoC (GitHub): github.com/depthfirstdisclosures/nginx-rift
• AlmaLinux — NGINX Rift (CVE-2026-42945): Patched nginx available in testing: almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/
• Security Online — Critical 18-Year-Old NGINX RCE and GitHub PoC Disclosed: securityonline.info/nginx-rce-vulnerability-cve-2026-42945-poc-disclosure/
• Orca Security — NGINX Rewrite Module Flaw (CVE-2026-42945): orca.security/resources/blog/nginx-rewrite-module-vulnerability-cve-2026-42945/
• SC World — Critical NGINX Rift vulnerability present for 18 years: scworld.com/brief/critical-nginx-rift-vulnerability-discovered-present-for-18-years