A critical vulnerability in the widely used NGINX web server, designated CVE-2026-42945 and nicknamed NGINX Rift, is now being actively exploited by attackers. The flaw was disclosed last week by F5, the company overseeing NGINX development, and security researchers from Depthfirst soon after published technical details and a proof-of-concept (PoC) exploit. According to security firm VulnCheck, exploitation attempts began surfacing on May 16, just three days after the public disclosure.

Understanding the Vulnerability: CVE-2026-42945

CVE-2026-42945 is a memory corruption vulnerability located in the ngx_http_rewrite_module of NGINX. This module handles URL rewriting, a common feature used for redirects, access control, and request handling. The bug allows a remote, unauthenticated attacker to corrupt the heap of an NGINX worker process by sending a specially crafted HTTP request. The trigger relies on a specific configuration pattern: a rewrite directive that uses unnamed regex captures (such as $1 or $2) combined with a replacement string containing a question mark, followed by another rewrite, if, or set directive.

When this pattern is present, NGINX miscalculates the destination buffer using one set of escaping assumptions but writes to it using another set. The write operation overruns the allocated buffer, causing deterministic memory corruption. The corrupted bytes are derived from the attacker-supplied URI, meaning the nature of the corruption is attacker-controlled rather than random. This makes the vulnerability particularly dangerous, as it can be reliably exploited. The researchers highlighted that repeated requests can also keep workers in a crash loop, degrading availability for all sites served by the affected NGINX instance.

Impact and Exploitation Potential

The vulnerability affects both NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus versions R32 through R36. Additionally, several F5 products incorporating NGINX are impacted, including NGINX Ingress Controller, F5 Web Application Firewall (WAF) for NGINX, and F5 DoS for NGINX. Given that NGINX is the most widely deployed web server on the internet—powering over 30% of all websites—the potential attack surface is enormous.

While a denial-of-service (DoS) condition can be achieved on default NGINX configurations, achieving remote code execution (RCE) is more challenging. Both VulnCheck and security researcher Kevin Beaumont noted that RCE is possible if the attacker can disable address space layout randomization (ASLR) on the target server. This might be achieved through other vulnerabilities or weak system configurations. Even without ASLR bypass, the DoS capability alone is serious, as it can disrupt services for millions of users.

According to VulnCheck's Initial Access team, a Censys query identified approximately 5.7 million internet-exposed NGINX servers running a potentially vulnerable version. However, the truly exploitable population is likely much smaller, as the vulnerable rewrite configuration pattern is not present on every NGINX installation. Nonetheless, the number of at-risk systems remains substantial, and administrators must act quickly.

Background on NGINX and Its Critical Role

NGINX is an open-source web server that also serves as a reverse proxy, load balancer, and HTTP cache. Its event-driven, asynchronous architecture allows it to handle thousands of concurrent connections with minimal resource usage, making it a favorite for high-traffic websites and cloud platforms. Major companies like Netflix, Airbnb, and GitHub rely on NGINX. Its development is overseen by F5, which offers both the free open-source version and the commercial NGINX Plus with additional features and support.

Given its widespread use, vulnerabilities in NGINX have historically drawn significant attention. Past flaws include CVE-2021-23017 (a DNS resolver vulnerability) and CVE-2022-41741 (memory corruption in HTTP/2). Each time, the security community mobilized quickly to patch, but the vast number of instances often leaves many unpatched for extended periods. CVE-2026-42945 is particularly critical because it can be triggered by a single HTTP request and does not require authentication.

How Attackers Are Exploiting the Flaw

After the PoC exploit was published by Depthfirst researchers, it did not take long for threat actors to incorporate it into their toolkits. VulnCheck's canary systems flagged scanning and exploitation attempts on May 16. These attempts are likely automated probes looking for NGINX instances with the specific rewrite configuration. Once a vulnerable target is found, attackers can crash the worker process repeatedly, causing service disruption. In some cases, if combined with an ASLR bypass, attackers might execute arbitrary code, potentially leading to full server compromise.

The exploitation method is notable for its simplicity. The crafted URI need only satisfy the pattern required by the vulnerable rewrite directives. This means that even sites with minimal custom configurations could be at risk if they use any rewrite rules with unnamed captures. Many CMS platforms, e-commerce sites, and custom web applications employ URL rewriting, amplifying the potential impact.

Security experts advise that administrators should immediately check their NGINX configurations for the use of unnamed regex captures in rewrite directives. A quick way to mitigate without patching is to switch to named captures (e.g., $name instead of $1). However, the most reliable fix is to update to a patched version.

Available Fixes and Mitigations

F5 has released patches for all affected product lines. Specific fixed versions are as follows:

• NGINX Open Source: versions 1.31.0 and 1.30.1
• NGINX Plus: versions R36 P4 and R32 P6
• F5 WAF for NGINX: version 5.13.0
• F5 DoS for NGINX: version 4.9.0

Additionally, F5 has provided a configuration mitigation: replace unnamed captures in rewrite definitions with named captures. This changes the escaping behavior and prevents the memory corruption from occurring. For example, instead of using rewrite ^/(.)$ /redirect?$1, use rewrite ^/(?.)$ /redirect?$name.

Linux distributions have begun releasing updated nginx packages. AlmaLinux, Ubuntu, and Debian have already pushed patches. Users of other distributions should check their repositories or build from source using the fixed version. For those unable to update immediately, the configuration workaround is a viable temporary measure.

Wider Implications for Internet Infrastructure

This vulnerability underscores the fragility of core internet infrastructure. While many high-profile sites use NGINX, many smaller sites and internal enterprise applications are also reliant on it. The ease of triggering a DoS attack means that even if RCE is not achieved, attackers can cause significant disruption. In an era where uptime and reliability are critical for business operations, such vulnerabilities demand rapid attention.

The incident also highlights the importance of proactive security measures. Regular vulnerability scanning, configuration reviews, and patch management are essential. Organizations should also consider implementing Web Application Firewalls (WAFs) to detect and block malformed requests that correspond to known vulnerabilities. F5's own WAF for NGINX includes protections, but only if properly configured.

Historical Lessons from Previous NGINX Vulnerabilities

Looking back at the lifecycle of previous NGINX vulnerabilities provides context for the current situation. For instance, CVE-2021-23017 affected the DNS resolver module and required specific configuration to be exploitable. Despite the limited exposure, many administrators delayed patching, leading to prolonged risk. Similarly, CVE-2022-41741, a heap overflow in the HTTP/2 protocol handler, had a CVSS score of 7.5 and was exploited in targeted attacks. Each time, the message was the same: patch early and review configurations.

The NGINX Rift vulnerability follows this pattern but raises the stakes due to the trivial exploitation path. Unlike previous bugs that required specific conditions (e.g., HTTP/2 enabled), CVE-2026-42945 only demands a common rewrite pattern. This makes it more accessible to attackers and harder for defenders to assess their exposure without manual configuration audits.

Recommendations for System Administrators

To protect against CVE-2026-42945, administrators should take the following steps immediately:

• Upgrade NGINX to the latest patched version (1.31.0 or 1.30.1 for open source).
• For NGINX Plus users, apply the latest service pack (R36 P4 or R32 P6).
• Audit all NGINX configuration files for rewrite directives that use unnamed captures. Replace them with named captures as a temporary hardening measure.
• If upgrading is not possible, implement a WAF rule to block requests containing patterns that could trigger the vulnerability. However, note that this may not be fully effective against all variations.
• Monitor server logs for unusual crash patterns or repeated error messages related to worker processes.
• Consider enabling ASLR and other memory protection mechanisms on servers to raise the bar for RCE exploitation.

Given the active exploitation, this is a time-sensitive issue. Organizations that run NGINX should treat this as a priority and allocate resources to patch as soon as possible. The security community has already demonstrated that PoC code works, and threat actors are actively scanning for vulnerable systems.

Source: Help Net Security News