Exploitation of a critical NGINX vulnerability, identified as CVE-2026-42945, has been detected, raising concerns across the cybersecurity community. Known as Nginx Rift, this flaw, which was patched last week, is now being actively exploited in the wild, according to security firm VulnCheck.
Details of the NGINX Vulnerability
The vulnerability, which has a CVSS score of 9.2, resides in the ngx_http_rewrite_module component of NGINX and represents a heap buffer overflow. This flaw has been present in the NGINX codebase for 16 years. F5, the company responsible for NGINX, recently released patches, but shortly thereafter, technical details and proof-of-concept code were made public by Depthfirst, facilitating exploitation.
VulnCheck researcher Patrick Garrity reports active exploitation of this vulnerability affecting both NGINX Plus and NGINX Open Source. The defect arises due to a two-pass process in the script engine that leads to buffer overflow when the internal engine state changes unexpectedly, allowing malicious data to be written beyond the buffer’s boundary.
Potential Impact and Exploitation Methods
Successful exploitation of this vulnerability can cause a denial-of-service (DoS) condition by triggering server restarts. However, if Address Space Layout Randomization (ASLR) is not enabled, the situation could escalate to remote code execution (RCE). VulnCheck highlights that the vulnerability can be remotely exploited without authentication through specifically crafted HTTP requests, but requires a particular rewrite configuration to succeed.
While causing a crash in the NGINX worker process can be achieved with relative ease, executing remote code is more challenging due to the default ASLR settings that protect most deployments. Despite this, approximately 5.7 million NGINX servers are potentially exposed to this vulnerability, with a smaller fraction likely being susceptible to real threats.
Urgency and Security Recommendations
Security experts urge immediate attention to this vulnerability, given the public availability of the proof-of-concept code. They anticipate broader exploitation attempts on vulnerable systems, emphasizing the need for swift action to apply patches and review configurations to mitigate risks. Disabling ASLR could increase the chances of RCE, so maintaining default security settings and applying the latest patches is crucial.
This incident underscores the importance of proactive security measures and continuous monitoring of system vulnerabilities to protect against potential cyber threats. As new exploits emerge, organizations must remain vigilant and responsive to safeguard their digital assets.
