CVE-2026-42945: Critical security vulnerability in NGINX that remained hidden for 18 years has been disclosed

A critical security vulnerability has been disclosed in NGINX Open Source and NGINX Plus products. Tracked as CVE-2026-42945 and codenamed “NGINX Rift,” the flaw is a heap-based buffer overflow vulnerability affecting the ngx_http_rewrite_module component.

According to available information, the vulnerability remained undiscovered within the NGINX codebase for approximately 18 years and can be exploited through specially crafted HTTP requests without requiring authentication. Successful exploitation may lead to NGINX worker process crashes, application-layer denial-of-service (DoS) conditions and under certain circumstances, remote code execution (RCE). Researchers emphasize that remote code execution is primarily feasible on systems where the Address Space Layout Randomization (ASLR) protection mechanism has been disabled.

Research findings indicate that the vulnerability is triggered during the processing of specific rewrite rules. In particular, configurations using unnamed PCRE capture groups such as $1 and $2, together with rewrite directives containing a question mark (?), are considered vulnerable. The issue originates from a mismatch between memory size calculation and data copying operations within NGINX’s internal script engine. Consequently, attacker-controlled data may be written beyond the boundaries of the allocated heap memory region, resulting in heap memory corruption.

It is noted that NGINX is extensively deployed across reverse proxy infrastructures, API gateways, load balancers, SaaS platforms, Kubernetes environments and cloud-based services, significantly broadening the potential attack surface associated with the vulnerability. According to publicly available statistics, NGINX powers a substantial proportion of internet-facing web resources globally.

A proof-of-concept (PoC) exploit demonstrating the practical exploitation of the vulnerability has also been publicly released on GitHub: GitHub repository. The publication of the PoC code is expected to increase the likelihood of active exploitation attempts targeting vulnerable systems in the near future.

Additionally, several other memory corruption vulnerabilities were identified during the same research process, including CVE-2026-42946, CVE-2026-40701 and və CVE-2026-42934.

CVE-2026-42945 affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus R32 through R36. To remediate the issue, users are advised to upgrade to NGINX Open Source versions 1.30.1 and 1.31.0+, as well as NGINX Plus R32 P6 and R36 P4.