CVE-2026-42945 (“NGINX Rift”): Heap Buffer Overflow in the Rewrite Module Enables Unauthenticated RCE

In a staggering discovery that underscores the long-tail risks of legacy code, a critical vulnerability has been unearthed within the NGINX source code. This flaw, which has remained dormant and undetected since 2008, has transitioned from a theoretical risk to an active threat with working exploits already circulating in the wild.

Security researchers at depthfirst have released a Proof-of-Concept (PoC) demonstrating unauthenticated Remote Code Execution (RCE). Given that NGINX powers nearly one-third of the global web infrastructure, the implications for internet security are profound.

The vulnerability is officially tracked as CVE-2026-42945 and codenamed “NGINX Rift.” It carries a critical CVSS v4.0 score of 9.2, reflecting its ease of exploitation and the catastrophic potential for system compromise.

Technical Breakdown: The Mechanics of the Rift

At its core, CVE-2026-42945 is a heap buffer overflow residing within NGINX’s ngx_http_rewrite_module. This bug was introduced as far back as version 0.6.27 and affects virtually every subsequent release up to version 1.30.0.

What makes this discovery particularly fascinating is the methodology: the flaw was not caught by human manual audit, but was autonomously identified by depthfirst’s AI-driven source code analysis engine in just six hours of continuous scanning.

The depthfirst system identified 4 remote memory corruption issues in NGINX
The depthfirst AI system identified four distinct remote memory corruption issues within the NGINX codebase (Source: Depthfirst).

The Root Cause: State Desynchronization
The vulnerability stems from a logic error in the two-pass script engine NGINX employs to process rewrite and set directives. The engine operates in two distinct phases:

  1. The Calculation Pass: NGINX determines the required memory allocation for the buffer.
  2. The Copy Pass: NGINX executes the data transfer into the newly allocated buffer.

The breakdown occurs when a rewrite directive contains a question mark (?). This character triggers an internal is_args flag on the main engine. However, due to a logic oversight, this flag is not propagated to the sub-engine responsible for the initial length calculation. Consequently, the second pass attempts to write a data payload that is significantly larger than the buffer allocated during the first pass, leading to a heap overflow controlled by the attacker.

Exploitation Dynamics
This is a “low-bar” entry for attackers. The vulnerability is reachable via the public internet without any authentication. By sending a specially crafted HTTP request containing specific URI characters (such as +, &, or %), an attacker can trigger the overflow. Furthermore, NGINX’s multi-process architecture unintentionally aids the attacker: if a worker process crashes due to an exploit attempt, the master process automatically spawns a new one with an identical heap layout, allowing for highly reliable, iterative exploitation attempts.

While achieving RCE is trivial on systems where Address Space Layout Randomization (ASLR) is disabled, researchers have demonstrated that ASLR can be bypassed through a sophisticated “byte-by-byte” heap pointer overwrite strategy across multiple requests.

Broader Impact: Three Additional Vulnerabilities

The depthfirst analysis uncovered more than just the “Rift.” Three additional vulnerabilities have been confirmed, expanding the attack surface of NGINX:

  • CVE-2026-42946 (High, CVSS 8.3): A denial-of-service (DoS) flaw in ngx_http_scgi_module and ngx_http_uwsgi_module involving excessive memory allocation (up to ~1 TB) that crashes worker processes.
  • CVE-2026-40701 (Medium, CVSS 6.3): A Use-After-Free (UAF) in ngx_http_ssl_module occurring during asynchronous OCSP DNS resolution after a TLS connection closes.
  • CVE-2026-42934 (Medium, CVSS 6.3): An out-of-bounds read in ngx_http_charset_module caused by an off-by-one error when processing incomplete UTF-8 sequences across proxy buffers.

Remediation and Mitigation Strategy

The following products are confirmed to be vulnerable:

  • NGINX Open Source: 0.6.27 through 1.30.0
  • NGINX Plus: R32 through R36
  • NGINX Instance Manager: 2.16.0 through 2.21.1
  • NGINX App Protect WAF: 4.9.0–4.16.0 and 5.1.0–5.8.0
  • NGINX Ingress Controller: 3.5.0–5.4.1

Immediate Action Required:
F5 has issued an official security advisory. System administrators should prioritize upgrading to NGINX 1.31.0 or 1.30.1 immediately.

If an immediate patch deployment is technically unfeasible, you should implement an interim mitigation by auditing your nginx.conf files. Specifically, look for and isolate or remove combinations of rewrite and set directives to reduce the risk of triggering the engine’s flawed logic.

Related Articles

Back to top button
cEx JrrT pBga