NGINX Rift (CVE-2026-42945) - An 18-Year-Old RCE in the World's Most Deployed Web Server

NGINX Rift (CVE-2026-42945) - Patch nginx Now

A heap buffer overflow has been disclosed in the nginx ngx_http_rewrite_module, the module that powers rewrite, if, and set directives in virtually every non-trivial nginx configuration. Tracked as CVE-2026-42945 and named NGINX Rift, it carries a CVSS v4 score of 9.2 (Critical). The bug was introduced in nginx 0.6.27 in 2008 and sat undetected for 18 years across every release up to and including 1.30.0.

A single crafted HTTP request from an unauthenticated remote attacker is enough to trigger it. On servers without ASLR, that request can lead to remote code execution in the worker process. With ASLR enabled, repeated requests crash workers and produce a denial of service. No reports of in-the-wild exploitation existed at disclosure on April 21, 2026, but a public proof-of-concept has since been published to GitHub. Treat this as urgent.

Why This One Is Serious

Three factors stack here:

1. Reach. nginx is the most widely deployed web server on the internet. The vulnerable module is compiled in by default and used by almost every real-world config that does URL rewriting, canonical redirects, or reverse-proxy path manipulation.
2. No authentication, single request. The attacker needs no credentials, no foothold, and no user interaction. The corruption is shaped by attacker-controlled URI bytes, not random, which is what turns a crash into a credible RCE primitive.
3. Common trigger pattern. The flaw fires when a rewrite directive combines an unnamed PCRE capture group ($1, $2) with a question mark in the replacement string, followed by another rewrite, if, or set directive. That is a routine pattern in API gateway and reverse-proxy configurations.

Root Cause in Plain Terms

nginx computes the destination buffer size using one set of escaping assumptions, then writes into that buffer using a different set. When a question mark appears in the replacement string, an internal flag is set but never cleared. The length calculation runs through a sub-engine that does not account for URI escaping, while the actual write still has escaping active. Characters such as +, %, and & expand by two bytes each during the copy, so more data is written than was allocated. The overflow is deterministic, not a race.

Affected Versions

If you run nginx anywhere as a reverse proxy, ingress controller, or API gateway, assume you are in scope until you have verified the build number.

What To Do

1. Check your version

nginx -v
# nginx version: nginx/1.30.0  -> vulnerable
# nginx version: nginx/1.30.1  -> patched

2. Patch

# Debian / Ubuntu (official nginx repo)
sudo apt update && sudo apt install --only-upgrade nginx
sudo systemctl restart nginx

# RHEL / AlmaLinux / Rocky
sudo dnf update nginx
sudo systemctl restart nginx

# Confirm the running binary, not just the package
nginx -v

A package upgrade alone is not enough. nginx keeps running the old binary in memory until the master process is restarted or reloaded. Restart the service and re-check nginx -v against the running process.

3. Temporary mitigation if you cannot patch immediately

Replace unnamed capture groups with named captures in your rewrite rules. Named captures do not hit the vulnerable code path.

# Vulnerable pattern
rewrite ^/users/([0-9]+)$ /profile.php?id=$1 last;

# Safe equivalent with a named capture
rewrite ^/users/(?<user_id>[0-9]+)$ /profile.php?id=$user_id last;

Audit every rewrite directive that uses $1/$2 style references together with a ? in the target, especially in reverse-proxy and gateway configs. This mitigation is a stopgap, not a substitute for the patched binary.

Do Not Forget the Three Companion CVEs

The same nginx release fixed three other flaws. Patching for NGINX Rift fixes all four at once, so there is no reason to apply them separately:

• CVE-2026-42946 (CVSS 8.3) - excessive memory allocation in the scgi/uwsgi modules
• CVE-2026-40701 (CVSS 6.3) - use-after-free in the SSL module
• CVE-2026-42934 (CVSS 6.3) - out-of-bounds read in the charset module

Where This Fits

NGINX Rift lands in the middle of an already heavy May 2026 for infrastructure security: three Linux kernel privilege escalations and a critical cPanel authentication bypass in the same window. For the full picture and the rest of the patch priorities, see our May 2026 Linux and cPanel CVE roundup.

The pattern is consistent. Long-lived bugs in core infrastructure are surfacing faster than scheduled maintenance windows can absorb. An 18-year-old flaw in the most deployed web server on earth, unauthenticated and single-request, is exactly the kind of finding that needs to move from "disclosed" to "patched" in hours, not weeks.

We handle nginx hardening and emergency patch rollouts across managed infrastructure as part of our security and compliance service. If you are unsure whether your reverse proxies and ingress controllers are on a patched build, get in touch.