CybersecurityVulnerability Management

NGINX Flaw Enables Unauthenticated Remote Code Execution

Analyst 207||Source: TheHackerNews
Server room with web server hardware exposed, conveying vulnerability.

"NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module," F5 said in an advisory released Wednesday.

CVE-2026-42945 (NGINX Rift): the flaw and why it matters

Researchers from depthfirst disclosed a heap buffer overflow in the ngx_http_rewrite_module that has persisted for 18 years and been assigned CVE-2026-42945 (CVSS v4 score: 9.2). The issue, codenamed NGINX Rift, can be triggered by an unauthenticated attacker who sends a crafted HTTP request that contains a rewrite directive followed by a rewrite, if, or set directive and an unnamed PCRE capture (for example, $1, $2) with a replacement string that includes a question mark (?).

Depthfirst warned that "an attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution." The bytes written past the allocation are derived from the attacker’s URI, meaning the heap corruption is shaped by the attacker rather than random. Repeated requests can keep workers in a crash loop and degrade availability for every site served by the instance.

Affected products and where fixes appear

F5 and NGINX have released fixes in multiple product lines following responsible disclosure on April 21, 2026. The vulnerability has been addressed in the following releases:

  • NGINX Plus R32 - R36 (fixes introduced in R32 P6 and R36 P4)
  • NGINX Open Source 1.0.0 - 1.30.0 (fixes introduced in 1.30.1 and 1.31.0)
  • NGINX Open Source 0.6.27 - 0.9.7 (No fixes planned)
  • NGINX Instance Manager 2.16.0 - 2.21.1
  • F5 WAF for NGINX 5.9.0 - 5.12.1
  • NGINX App Protect WAF 4.9.0 - 4.16.0 and 5.1.0 - 5.8.0
  • F5 DoS for NGINX 4.8.0
  • NGINX App Protect DoS 4.3.0 - 4.7.0
  • NGINX Gateway Fabric 1.3.0 - 1.6.2 and 2.0.0 - 2.5.1
  • NGINX Ingress Controller 3.5.0 - 3.7.2, 4.0.0 - 4.0.1, and 5.0.0 - 5.4.1

F5's advisory highlights that the vulnerability is reachable without authentication and can be reliably used to trigger the heap overflow. For systems with Address Space Layout Randomization (ASLR) disabled, the advisory notes that code execution is possible.

Other flaws patched at the same time

Alongside CVE-2026-42945, NGINX Plus and NGINX Open Source updates include fixes for three additional vulnerabilities:

  • CVE-2026-42946 (CVSS v4 score: 8.3) — an excessive memory allocation in ngx_http_scgi_module and ngx_http_uwsgi_module that could allow a remote, unauthenticated attacker with adversary-in-the-middle (AitM) capabilities to control upstream responses to read NGINX worker memory or restart the worker when scgi_pass or uwsgi_pass is configured.
  • CVE-2026-40701 (CVSS v4 score: 6.3) — a use-after-free in ngx_http_ssl_module that could allow a remote, unauthenticated attacker limited control of data modification or a worker restart when ssl_verify_client is set to "on" or "optional" and ssl_ocsp is set to "on."
  • CVE-2026-42934 (CVSS v4 score: 6.3) — an out-of-bounds read in ngx_http_charset_module that could disclose memory contents or restart a worker when charset, source_charset, charset_map, and proxy_pass with disabled buffering ("off") directives are configured.

Mitigation steps operators can take now

Users are advised to apply the latest versions listed above for optimal protection. The advisories emphasize that the critical rewrite-module flaw is exploitable without authentication and can be reliably triggered by a single request.

For organizations that cannot immediately upgrade, the guidance specific to CVE-2026-42945 is to change rewrite configurations by replacing unnamed captures with named captures in every affected rewrite directive. That change is presented as an operational workaround until patches can be applied.

How technologists, affected enterprises, and adversaries are likely to respond

  • Technologists and security teams: will need to inventory NGINX Plus and Open Source instances and apply the fixes where available; where immediate patching isn’t possible, they will be asked to update rewrite directives by replacing unnamed PCRE captures with named captures.
  • Affected enterprises and procurement leaders: should prioritize upgrades for the specific versions enumerated in the advisory and treat systems with ASLR disabled as higher risk because the advisory states code execution is possible in that configuration.
  • Adversaries and threat actors: the advisories make clear an "unauthenticated attacker" can trigger the flaw and that the corruption is attacker-shaped, making it attractive for exploitation; repeated requests can also be used to keep workers in a crash loop and degrade availability.

Eighteen years is a long time for a defect to lie dormant in the wild. The combination of an unauthenticated trigger, attacker-controlled corruption and a reliable crash or execution path makes CVE-2026-42945 a high-priority item for any organization running the listed NGINX releases. Apply the listed fixes where available, or implement the named-capture workaround for affected rewrite directives, and treat systems without ASLR as especially urgent to remediate.

Original story

Emerging ThreatsRemote Code ExecutionVulnerabilityWeb Application SecurityUnauthenticated AttacksNGINXCVE-2026-42945Heap Buffer OverflowNgx_http_rewrite_module
Related Intelligence

Continue Reading

Researchers working on a laptop in a clean-room setting surrounded by diagrams and notes.

Researchers Expose Lethal Flaw in AI Model Security

Researchers have uncovered a shocking vulnerability in AI model security, revealing that a simple formatting trick used to separate system instructions from user requests has become a critical weakness. This flaw, known as role confusion, threatens the very foundation of modern AI systems.

Analyst 207
Dimly lit computer laboratory with scattered technology equipment.

Anonymous Researcher Exploits 15 Software Products with Zero-Day Code Dump

A security bombshell has been dropped: an anonymous researcher has publicly shared exploit code for zero-day vulnerabilities in 15 software products, and hackers are already taking advantage of at least two of them. The alarming revelation has sent shockwaves through the cybersecurity community.

Analyst 207
Cybersecurity professional examines laptop in secure server room.

Quantum Deadline Looms: CISOs Face Post-Quantum Readiness Mandate

The clock is ticking: by December 31, 2030, federal high-value systems must adopt post-quantum cryptography for key establishment, and by December 31, 2031, for digital signatures too. Are your systems ready to beat the quantum deadline?

Analyst 207
Server room with rows of computer servers and IT staff in the background.

Microsoft Extends Windows Server 2022 Hotpatching Support Until 2027

Microsoft just gave you an extra year of uninterrupted protection, extending hotpatching support for Windows Server 2022 through October 2027 - so you can keep your systems secure and running smoothly without the hassle of reboots. Devices already enrolled will continue to receive monthly security updates with zero downtime.

Analyst 207