NGINX Rift (CVE-2026-42945) - Patch nginx Now
A heap buffer overflow has been disclosed in the nginx ngx_http_rewrite_module, the module that powers rewrite, if, and set directives in virtually every non-trivial nginx configuration. Tracked as CVE-2026-42945 and named NGINX Rift, it carries a CVSS v4 score of 9.2 (Critical). The bug was introduced in nginx 0.6.27 in 2008 and sat undetected for 18 years across every release up to and including 1.30.0.
A single crafted HTTP request from an unauthenticated remote attacker is enough to trigger it. On servers without ASLR, that request can lead to remote code execution in the worker process. With ASLR enabled, repeated requests crash workers and produce a denial of service. No reports of in-the-wild exploitation existed at disclosure on April 21, 2026, but a public proof-of-concept has since been published to GitHub. Treat this as urgent.
Why This One Is Serious
Three factors stack here:
- Reach. nginx is the most widely deployed web server on the internet. The vulnerable module is compiled in by default and used by almost every real-world config that does URL rewriting, canonical redirects, or reverse-proxy path manipulation.
- No authentication, single request. The attacker needs no credentials, no foothold, and no user interaction. The corruption is shaped by attacker-controlled URI bytes, not random, which is what turns a crash into a credible RCE primitive.
- Common trigger pattern. The flaw fires when a
rewritedirective combines an unnamed PCRE capture group ($1,$2) with a question mark in the replacement string, followed by anotherrewrite,if, orsetdirective. That is a routine pattern in API gateway and reverse-proxy configurations.
Root Cause in Plain Terms
nginx computes the destination buffer size using one set of escaping assumptions, then writes into that buffer using a different set. When a question mark appears in the replacement string, an internal flag is set but never cleared. The length calculation runs through a sub-engine that does not account for URI escaping, while the actual write still has escaping active. Characters such as +, %, and & expand by two bytes each during the copy, so more data is written than was allocated. The overflow is deterministic, not a race.
Affected Versions
| Product | Affected | Fixed |
|---|---|---|
| nginx Open Source | 0.6.27 through 1.30.0 | 1.30.1 or 1.31.0 |
| nginx Plus | R32 through R36 | R36 P4, R32 P6 |
| NGINX Ingress Controller | 3.5.0-3.7.2, 4.0.0-4.0.1, 5.0.0-5.4.1 | updated releases available |
| NGINX Gateway Fabric | 1.3.0-1.6.2, 2.0.0-2.5.1 | updated releases available |
| NGINX Instance Manager | 2.16.0-2.21.1 | updated releases available |
| NGINX App Protect WAF / DoS | multiple | updated releases available |
| F5 WAF for NGINX | 5.9.0-5.12.1 | updated releases available |
If you run nginx anywhere as a reverse proxy, ingress controller, or API gateway, assume you are in scope until you have verified the build number.
What To Do
1. Check your version
nginx -v
# nginx version: nginx/1.30.0 -> vulnerable
# nginx version: nginx/1.30.1 -> patched
2. Patch
# Debian / Ubuntu (official nginx repo)
sudo apt update && sudo apt install --only-upgrade nginx
sudo systemctl restart nginx
# RHEL / AlmaLinux / Rocky
sudo dnf update nginx
sudo systemctl restart nginx
# Confirm the running binary, not just the package
nginx -v
A package upgrade alone is not enough. nginx keeps running the old binary in memory until the master process is restarted or reloaded. Restart the service and re-check nginx -v against the running process.
3. Temporary mitigation if you cannot patch immediately
Replace unnamed capture groups with named captures in your rewrite rules. Named captures do not hit the vulnerable code path.
# Vulnerable pattern
rewrite ^/users/([0-9]+)$ /profile.php?id=$1 last;
# Safe equivalent with a named capture
rewrite ^/users/(?<user_id>[0-9]+)$ /profile.php?id=$user_id last;
Audit every rewrite directive that uses $1/$2 style references together with a ? in the target, especially in reverse-proxy and gateway configs. This mitigation is a stopgap, not a substitute for the patched binary.
Do Not Forget the Three Companion CVEs
The same nginx release fixed three other flaws. Patching for NGINX Rift fixes all four at once, so there is no reason to apply them separately:
- CVE-2026-42946 (CVSS 8.3) - excessive memory allocation in the scgi/uwsgi modules
- CVE-2026-40701 (CVSS 6.3) - use-after-free in the SSL module
- CVE-2026-42934 (CVSS 6.3) - out-of-bounds read in the charset module
Where This Fits
NGINX Rift lands in the middle of an already heavy May 2026 for infrastructure security: three Linux kernel privilege escalations and a critical cPanel authentication bypass in the same window. For the full picture and the rest of the patch priorities, see our May 2026 Linux and cPanel CVE roundup.
The pattern is consistent. Long-lived bugs in core infrastructure are surfacing faster than scheduled maintenance windows can absorb. An 18-year-old flaw in the most deployed web server on earth, unauthenticated and single-request, is exactly the kind of finding that needs to move from "disclosed" to "patched" in hours, not weeks.
We handle nginx hardening and emergency patch rollouts across managed infrastructure as part of our security and compliance service. If you are unsure whether your reverse proxies and ingress controllers are on a patched build, get in touch.
Talk to the engineer who will own your stack.
No account managers, no offshore handoff. Senior DevOps, direct. Tell us what you are dealing with and you get a straight answer.
Related News
The New libssh2 SSH Flaw Is Client-Side, Not Your sshd, and apt upgrade Will Not Fix the Copies That Matter
CVE-2026-55200 is an out-of-bounds write in the libssh2 client library that a malicious or compromised SSH server can use to corrupt a connecting client's memory, and a public proof-of-concept is already out. The corrections that matter: it is client-side and not an OpenSSH or sshd bug, the severity rating is disputed across scorers, and the real cleanup is finding the statically linked and vendored copies a distribution update never touches.
SecurityOpenSSL 3.0 Stops Getting Security Fixes in September and You Probably Still Ship It
OpenSSL 3.0 stops receiving all fixes, including security fixes, after September 7, 2026, and the 3.4 line follows on October 22. For most teams the distro backports cover it, but self-compiled, vendored, and container-bundled OpenSSL go quietly unpatched. Here is who is actually exposed and how to check.
SecurityFrom September 11 the EU Cyber Resilience Act Puts a 24-Hour Clock on Exploited Vulnerabilities and Most Makers Have No Runbook
From 11 September 2026, Article 14 of the EU Cyber Resilience Act forces makers of products with digital elements to report actively exploited vulnerabilities within 24 hours, with a 72-hour follow-up and a 14-day final report. It is the first binding CRA deadline, and the hard part is operational: detecting, triaging, and filing a conformant report inside a single day.