Post cover image

May 14, 2026

NGINX Rift (CVE-2026-42945): The Bug That’s Been Hiding Since 2008

On May 13, 2026, A critical security flaw was identified in NGINX, one of the most widely used pieces of software on the internet. This…

Dhanuka Nanayakkara

2 min read

On May 13, 2026, A critical security flaw was identified in NGINX, one of the most widely used pieces of software on the internet. This vulnerability is tracked as CVE-2026-42945 and nicknamed as "NGINX Rift,". This had been hiding since 2008 undetected.

What Is NGINX?

If you've used the internet today, you've almost certainly interacted with NGINX without knowing it. NGINX is software that runs on web servers. When you type a web address into your browser and hit enter, your request travels across the internet and eventually lands at a server. NGINX is usually the first thing that greets that request. It decides what to do with it, whether that means serving you a web page, forwarding your request to another system, or handling multiple users at the same time without the server grinding to a halt.

The Vulnerability (CVE-2026–42945)

NGINX has a feature called "rewrite rules" that lets server administrators tell the software how to redirect or reformat incoming web requests. For example, a rule might say "if someone visits /old-page, send them to /new-page instead." These rules are extremely common. WordPress, PHP applications, and API services use them constantly. When processing one of these rewrite rules, NGINX does its work in two steps. First it figures out how much space it needs. Then it does the actual writing. The bug is that these two steps were using slightly different methods to handle certain special characters in web addresses, like ?, +, and %. Step one calculated a smaller space than step two actually needed. When step two ran, it wrote data beyond the boundary of the space it was given, into memory it had no business touching.

This type of flaw is called a heap buffer overflow, where data spills into memory regions it should never reach. The dangerous part here is that the data doing the spilling comes from the attacker's web request. That gives an attacker a degree of control over what gets written and where, which is the foundation of a serious exploit. The flaw was introduced in NGINX version 0.6.27, released back in 2008. It was found not by a human security researcher, but by an automated AI-powered analysis system built by a company called depthfirst (https://depthfirst.com/nginx-rift).

Impact

Denial of Service: The easiest thing an attacker can do is send a crafted request that causes the NGINX worker process to crash. The server will recover on its own, but repeated attacks can keep crashing it, making the website unreliable or completely unavailable for legitimate users.

Remote Code Execution: On servers where a specific security feature called ASLR (Address Space Layout Randomization) is turned off, the attacker can potentially go further. Instead of just crashing the process, they can use the overflow to inject and run their own code on the server.

Affected Versions

  • NGINX Open Sourc - 0.6.27 up to and including 1.30.0
  • NGINX Plus - R32 through R36

Mitigation

Update NGINX: If you manage your own server, update to version 1.31.0 (mainline) or 1.30.1 (stable). Both are available from the official nginx.org downloads page. NGINX Plus users should contact F5 for the patched release. Most Linux distributions have already pushed emergency updates through their package managers, so running a standard system update is often enough.

Change rewrite rules: The vulnerability only triggers when rewrite rules use a specific style of pattern matching. Switching from "unnamed captures" to "named captures" completely sidesteps the buggy code. Once the config is updated, the attack path is closed even on an unpatched version.

References

NVD Awaiting Enrichment This CVE record has been marked for NVD enrichment efforts. NGINX Plus and NGINX Open Source have a…

NGINX Rift An 18 year old memory corruption flaw in NGINX Plus and NGINX Open Source lets an unauthenticated attacker crash worker…

GitHub - DepthFirstDisclosures/Nginx-Rift: exploit for CVE-2026-42945 exploit for CVE-2026-42945. Contribute to DepthFirstDisclosures/Nginx-Rift development by creating an account on…