CVE-2026-42945

NGINX Rift

An 18-year-old heap buffer overflow in NGINX's rewrite module enabling unauthenticated remote code execution.

CVSS: 9.2 Critical | CWE-122 Heap Overflow

Understanding the Threat

Discovered: May 2026 (Autonomous AI discovery)
Researcher: DepthFirst Security Analysis System

NGINX Rift is a critical heap buffer overflow in NGINX's ngx_http_rewrite_module that has existed since 2008 — 18 years of vulnerable servers. The vulnerability enables unauthenticated remote code execution (RCE).

This is not a theoretical vulnerability. A fully working public exploit exists and has been tested on default NGINX installations. Any server running NGINX with rewrite rules is potentially vulnerable.

Figure 1: NGINX Rift Attack Path

🚨 Why This Matters

Unauthenticated RCE — No login required, network-accessible exploit
Since 2008 — Eighteen years of affected NGINX installations
Default configurations vulnerable — Any server using rewrite or set directives
Public PoC available — Actively exploited in the wild
AI-discovered — First vulnerability found autonomously by AI security system

Am I Vulnerable?

If your NGINX server uses the rewrite or set directives with PCRE captures (like $1, $2) in replacement strings containing a question mark, you are vulnerable.

⚠️ Most NGINX Configurations Are Vulnerable

The vulnerability is triggered when a rewrite rule uses a PCRE capture variable ($1, $2, etc.) in the replacement string AND that replacement string contains a question mark. Common examples include redirect rules and URL normalized patterns.

Vulnerable Configurations

The following patterns are commonly used and ARE vulnerable:

nginx.conf (Vulnerable)

# Vulnerable: rewrite with $1 and ? in replacement
rewrite ^/(.*) /$1?lang=en redirect;

# Vulnerable: set with PCRE capture + ?
set $new_uri $1?mode=debug;

# Vulnerable: rewrite followed by if using capture
rewrite ^/old/(.*) /new/$1;
if ($uri ~ /debug/(.*)) {
  set $id $1?ref=header;
}

Safe Configurations

These patterns do NOT trigger the vulnerability (no question mark in replacement):

nginx.conf (Safe)

# Safe: no ? in replacement
rewrite ^/(.*) /$1 redirect;

# Safe: static replacement only
rewrite ^/old /new permanent;

# Safe: no PCRE captures
rewrite ^ /index.html redirect;

Affected Versions

Product	Affected Versions	Fixed Version
NGINX Open Source	0.6.27 – 1.30.0	1.31.0 or 1.30.1
NGINX Plus	R32 – R36	R36 P4, R35 P2, R32 P6

Check your version: nginx -v

Technical Details

The vulnerability exists in NGINX's two-pass script engine processing:

Length pass — First calculates buffer size needed for the rewrite result
Copy pass — Then allocates and copies data to the buffer

The Flaw

When a rewrite replacement contains "?", the is_args flag is set on the main engine. However, the length-calculation pass runs on a freshly zeroed sub-engine where is_args = 0. This causes:

Length pass: Returns raw capture length (is_args = 0)
Copy pass: Calls ngx_escape_uri with NGX_ESCAPE_ARGS, expanding to 3x (is_args = 1)
Result: Heap buffer overflow with attacker-controlled data

Exploitation

Attackers use cross-request heap feng shui to place a controllable ngx_pool_t cleanup pointer adjacent to the overflow, then corrupt it to redirect to a fake cleanup structure that invokes system() when the pool is destroyed.

How to Fix

1Upgrade NGINX

The primary fix is to upgrade to a patched version. Most package managers have the update available.

Ubuntu/Debian

sudo apt update && sudo apt upgrade nginx

RHEL/CentOS/Fedora

sudo dnf update nginx

Amazon Linux

sudo dnf update nginx

Docker (Official Image)

docker pull nginx:1.31

2Workaround: Disable PCRE in NGINX Config

If you cannot upgrade immediately, modify your rewrite rules to avoid the vulnerable pattern:

nginx.conf (Workaround)

# Before (Vulnerable):
rewrite ^/(.*) /$1?lang=en redirect;

# After (Safe) - Use named capture:
rewrite ^/(?<capt>.*) /${capt}?lang=en redirect;
# OR
rewrite ^ /redirect.php?url=$1 permanent;

Note: The workaround may change behavior. Test thoroughly before deployment.

3WAF / Rate Limiting Mitigation

While not a complete fix, rate limiting can reduce exploit attempts:

nginx.conf (Rate Limit)

limit_req_zone $binary_remote_addr zone=default:10m rate=10r/s;

server {
  limit_req zone=default burst=20 nodelay;
}

Critical: NGINX Plus Customers

NGINX Plus customers must upgrade through F5 BIG-IP or download patches from F5 Downloads. The open source package update may not apply to NGINX Plus installations. Contact F5 support for patch access.

Download & Test PoC

The official proof-of-concept is available from DepthFirst. Use only for authorized testing.

Terminal

git clone https://github.com/DepthFirstDisclosures/Nginx-Rift.git
cd Nginx-Rift
./setup.sh
python3 poc.py --target http://your-nginx-server

Disclosure Timeline

2026-05-01

Autonomous discovery by DepthFirst AI

2026-05-10

F5 Networks notified

2026-05-12

Patches developed

2026-05-13

CVE-2026-42945 assigned

2026-05-13

Public disclosure

Resources

NVD CVE-2026-42945
depthfirst.com/nginx-rift — Official vulnerability site
GitHub PoC
Technical Writeup
F5 Networks Advisory
NGINX Changelog