CVE-2026-42945 (“NGINX Rift”): Heap Buffer Overflow in the Rewrite Module Enables Unauthenticated RCE
In a staggering discovery that underscores the long-tail risks of legacy code, a critical vulnerability has been unearthed within the NGINX source code. This flaw, which has remained dormant and undetected since 2008, has transitioned from a theoretical risk to an active threat with working exploits already circulating in the wild.
Security researchers at depthfirst have released a Proof-of-Concept (PoC) demonstrating unauthenticated Remote Code Execution (RCE). Given that NGINX powers nearly one-third of the global web infrastructure, the implications for internet security are profound.
The vulnerability is officially tracked as CVE-2026-42945 and codenamed “NGINX Rift.” It carries a critical CVSS v4.0 score of 9.2, reflecting its ease of exploitation and the catastrophic potential for system compromise.
Technical Breakdown: The Mechanics of the Rift
At its core, CVE-2026-42945 is a heap buffer overflow residing within NGINX’s ngx_http_rewrite_module. This bug was introduced as far back as version 0.6.27 and affects virtually every subsequent release up to version 1.30.0.
What makes this discovery particularly fascinating is the methodology: the flaw was not caught by human manual audit, but was autonomously identified by depthfirst’s AI-driven source code analysis engine in just six hours of continuous scanning.

The Root Cause: State Desynchronization
The vulnerability stems from a logic error in the two-pass script engine NGINX employs to process rewrite and set directives. The engine operates in two distinct phases:
- The Calculation Pass: NGINX determines the required memory allocation for the buffer.
- The Copy Pass: NGINX executes the data transfer into the newly allocated buffer.
The breakdown occurs when a rewrite directive contains a question mark (?). This character triggers an internal is_args flag on the main engine. However, due to a logic oversight, this flag is not propagated to the sub-engine responsible for the initial length calculation. Consequently, the second pass attempts to write a data payload that is significantly larger than the buffer allocated during the first pass, leading to a heap overflow controlled by the attacker.
Exploitation Dynamics
This is a “low-bar” entry for attackers. The vulnerability is reachable via the public internet without any authentication. By sending a specially crafted HTTP request containing specific URI characters (such as +, &, or %), an attacker can trigger the overflow. Furthermore, NGINX’s multi-process architecture unintentionally aids the attacker: if a worker process crashes due to an exploit attempt, the master process automatically spawns a new one with an identical heap layout, allowing for highly reliable, iterative exploitation attempts.
While achieving RCE is trivial on systems where Address Space Layout Randomization (ASLR) is disabled, researchers have demonstrated that ASLR can be bypassed through a sophisticated “byte-by-byte” heap pointer overwrite strategy across multiple requests.
Broader Impact: Three Additional Vulnerabilities
The depthfirst analysis uncovered more than just the “Rift.” Three additional vulnerabilities have been confirmed, expanding the attack surface of NGINX:
- CVE-2026-42946 (High, CVSS 8.3): A denial-of-service (DoS) flaw in
ngx_http_scgi_moduleandngx_http_uwsgi_moduleinvolving excessive memory allocation (up to ~1 TB) that crashes worker processes. - CVE-2026-40701 (Medium, CVSS 6.3): A Use-After-Free (UAF) in
ngx_http_ssl_moduleoccurring during asynchronous OCSP DNS resolution after a TLS connection closes. - CVE-2026-42934 (Medium, CVSS 6.3): An out-of-bounds read in
ngx_http_charset_modulecaused by an off-by-one error when processing incomplete UTF-8 sequences across proxy buffers.
Remediation and Mitigation Strategy
The following products are confirmed to be vulnerable:
- NGINX Open Source: 0.6.27 through 1.30.0
- NGINX Plus: R32 through R36
- NGINX Instance Manager: 2.16.0 through 2.21.1
- NGINX App Protect WAF: 4.9.0–4.16.0 and 5.1.0–5.8.0
- NGINX Ingress Controller: 3.5.0–5.4.1
Immediate Action Required:
F5 has issued an official security advisory. System administrators should prioritize upgrading to NGINX 1.31.0 or 1.30.1 immediately.
If an immediate patch deployment is technically unfeasible, you should implement an interim mitigation by auditing your nginx.conf files. Specifically, look for and isolate or remove combinations of rewrite and set directives to reduce the risk of triggering the engine’s flawed logic.