Eighteen years. That’s how long a critical NGINX vulnerability sat dormant, waiting to be found. Discovered by depthfirst, NGINX Rift (CVE-2026-42945) allows unauthenticated attackers to execute code remotely. It’s a humbling reminder that even the bedrock of the internet can have its ancient skeletons rattling in the closet.
Look, I’ve been covering this stuff for two decades, and the sheer audacity of a bug lurking undetected for nearly two decades—affecting both NGINX Plus and NGINX Open Source, no less—is frankly astonishing. This isn’t just a bug; it’s an artifact. It’s a heap buffer overflow in the ngx_http_rewrite_module, and if you’re fluent in security jargon, that’s a nasty business. CVSS v4 score of 9.2. Yeah, that’s ‘critical’ in any language.
The exploit, as described, hinges on a specific, almost poetic, misconfiguration: when a rewrite directive is followed by another rewrite, if, or set directive, and crucially, uses an unnamed Perl-Compatible Regular Expression (PCRE) capture—think $1, $2—with a replacement string that includes a question mark (?). It’s like leaving a single, shiny key on the counter next to an unlocked door. And who actually makes money here? Well, the researchers, for one, get their shine. The attackers, if they’re quick and skilled, get access. The rest of us? We get to scramble and patch.
The Anatomy of NGINX Rift
So, what’s actually happening under the hood? depthfirst spells it out: an unauthenticated attacker, given the right conditions, can send crafted HTTP requests. These requests can trigger a heap buffer overflow in an NGINX worker process. The immediate result is often a restart, which is bad enough for availability. But for systems where Address Space Layout Randomization (ASLR) has been conveniently (or perhaps, foolishly) disabled, the door swings wide open for actual code execution. Imagine not having to log in, not needing any prior access, just sending a single, specially crafted request. That’s the nightmare scenario.
“An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution,” depthfirst said. “There is no authentication step, no prior access requirement, and no need for an existing session.”
And it gets worse. The bytes written past the allocation aren’t random scribbles; they’re derived from the attacker’s URI. This means the corruption is shaped, controlled. Repeated attacks can even lock workers into a crash loop, degrading service for everyone. Lovely.
This whole mess has been fixed, thankfully, in various updated versions of NGINX Plus and NGINX Open Source released after April 21, 2026. The patch notes list a dizzying array of specific versions, from NGINX Plus R32 through R36 (with fixes in P6 and P4 respectively) and NGINX Open Source 1.0.0 through 1.30.0 (fixes in 1.30.1 and 1.31.0). It’s a veritable jungle gym of version numbers, so picking the right one is an exercise in itself. Oh, and for the ancient NGINX Open Source versions 0.6.27 through 0.9.7? Tough luck, no fixes planned. Better upgrade or migrate, folks.
Are There Other Bugs Lurking?
Yes, because one 18-year-old vulnerability wasn’t enough to make our Wednesday exciting. Along with NGINX Rift, three other flaws were patched:
- CVE-2026-42946 (CVSS v4: 8.3): Excessive memory allocation in
ngx_http_scgi_moduleandngx_http_uwsgi_module. If you’re usingscgi_passoruwsgi_pass, and an attacker can get in the middle (AitM), they could read worker process memory or trigger restarts. A remote, unauthenticated attacker with AitM chops is the operative phrase here. - CVE-2026-40701 (CVSS v4: 6.3): A use-after-free in
ngx_http_ssl_module. This one requiresssl_verify_clientto be ‘on’ or ‘optional’, andssl_ocspto be ‘on’. It can give an attacker limited control over data modification or a worker restart. It’s less dramatic, but still a potential headache. - CVE-2026-42934 (CVSS v4: 6.3): An out-of-bounds read in
ngx_http_charset_module. If you’re messing with character sets andproxy_passwith buffering off, an unauthenticated attacker can peek at memory contents or cause a restart. Again, not RCE, but a window into the system.
What’s the Historical Parallel Here?
This entire saga feels like finding a hidden trapdoor in a centuries-old castle. You thought you knew every nook and cranny, but nope, there’s a whole secret passage leading to who-knows-where. The existence of such a deep-seated, long-unnoticed flaw in a widely deployed piece of critical infrastructure like NGINX isn’t just a technical oversight; it’s a historical footnote in the making. It makes you wonder what else is out there, quietly waiting for a determined researcher or, worse, a malicious actor, to stumble upon it. It’s the digital equivalent of discovering that the foundations of your house were built on something… less than solid.
For those not immediately ready to hit the upgrade button – because let’s be real, IT departments don’t always move at the speed of a zero-day disclosure – F5 offers a workaround for CVE-2026-42945: swap out those unnamed PCRE captures in your rewrite directives for named captures. It’s a band-aid, not a cure, but it’s something. The real solution, though? Patch. Patch yesterday.
Will This Actually Lead to Mass Exploits?
It’s hard to say. NGINX is everywhere, powering countless websites and APIs. The vulnerability is severe, unauthenticated, and leads to RCE. That’s the trifecta for exploit developers. However, the specific configuration required (rewrite directive followed by another, unnamed capture with a ?) might not be as ubiquitous as one would hope for the attackers. Still, even a small percentage of the global NGINX deployment is a massive attack surface. We’ve seen less severe bugs ignite widespread campaigns. I’m betting we’ll see proof-of-concept exploits emerge quickly, and those running vulnerable versions with the specific rewrite configurations will be in the crosshairs.
🧬 Related Insights
- Read more: Chrome 147’s $86K WebML Double-Whammy: Two Critical Bugs That Could Crack the Browser Sandbox
- Read more: Credential Attacks: The Breach That Logs In Like Your Barista
Frequently Asked Questions
What does NGINX Rift (CVE-2026-42945) do?
NGINX Rift is a heap buffer overflow vulnerability in the ngx_http_rewrite_module that allows an unauthenticated attacker to execute arbitrary code on the server, or cause a denial of service.
How old is the NGINX Rift vulnerability? This vulnerability remained undetected for 18 years before being disclosed by researchers.
What versions of NGINX are affected by NGINX Rift? NGINX Plus and NGINX Open Source versions prior to the latest patches are affected. Specific affected ranges include NGINX Plus R32-R36 and NGINX Open Source 1.0.0-1.30.0, among others. Older versions like 0.6.27-0.9.7 will not receive fixes.
