Cybersecurity analysts have brought to light a series of vulnerabilities affecting both NGINX Plus and NGINX Open Source, spotlighting a severe issue that went unnoticed for 18 years. Discovered by the security group depthfirst, the flaw is identified as a heap buffer overflow in the ngx_http_rewrite_module (CVE-2026-42945), carrying a CVSS v4 score of 9.2. This flaw, dubbed ‘NGINX Rift,’ permits attackers to potentially execute remote code or induce a denial-of-service (DoS) attack with specially crafted requests.
Exploring the NGINX Rift Vulnerability
The vulnerability arises within the ngx_http_rewrite_module when the rewrite directive is succeeded by another rewrite, if, or set directive, using an unnamed Perl-Compatible Regular Expression (PCRE) capture paired with a replacement string containing a question mark. This particular configuration flaw allows an unauthenticated attacker to exploit the system by sending crafted HTTP requests, potentially causing a heap buffer overflow in the NGINX worker process, which can lead to a restart. On systems where Address Space Layout Randomization (ASLR) is disabled, remote code execution becomes feasible.
The vulnerability was responsibly disclosed on April 21, 2026, leading to its resolution in several versions: NGINX Plus R32 – R36 (fixed in R32 P6 and R36 P4), and NGINX Open Source from 1.0.0 to 1.30.0 (addressed in 1.30.1 and 1.31.0). However, no fixes are planned for versions 0.6.27 to 0.9.7. Other affected products include the NGINX Instance Manager, F5 WAF for NGINX, and NGINX App Protect WAF, among others.
Potential Impact and Exploitation
Depthfirst, in its advisory, noted that the flaw allows remote, unauthenticated attackers to corrupt the heap of an NGINX worker process through a crafted URI, enabling remote code execution. This vulnerability’s severity is underscored by its accessibility without authentication, making it easily exploitable to trigger a heap overflow and execute code remotely within the NGINX worker process. Attackers can simply send a single crafted request to overflow the heap, with no prior access required.
The danger lies in the attackers’ ability to control the overflow, as bytes written past the allocation derive from the attacker’s URI, allowing for precision in the corruption. Repeatedly exploiting this flaw can lead to a crash loop, significantly reducing the availability of services hosted on the affected NGINX instance.
Additional Security Concerns and Recommendations
In addition to the NGINX Rift vulnerability, three other vulnerabilities have been patched in NGINX Plus and NGINX Open Source. These include CVE-2026-42946, an excessive memory allocation issue; CVE-2026-40701, a use-after-free vulnerability; and CVE-2026-42934, an out-of-bounds read vulnerability. Each of these vulnerabilities poses varying levels of risk, from memory disclosure to worker process restarts.
Users are strongly advised to update to the latest versions to mitigate these risks. In situations where immediate updates are not feasible, it is recommended to modify configurations by replacing unnamed captures with named ones in affected rewrite directives.
These proactive measures and updates are crucial in fortifying systems against potential exploits and ensuring the security and stability of web server operations.
