Critical NGINX Vulnerability Under Active Attack

A severe security vulnerability in the widely deployed NGINX web server, cataloged as CVE-2026-42945 and informally referred to as NGINX Rift, is now being actively exploited by attackers. The flaw, disclosed just over a week ago, allows unauthenticated remote attackers to cause denial of service and, in specific scenarios, achieve remote code execution on vulnerable systems.

The Significance of NGINX

NGINX is the most popular web server software on the internet, powering a substantial portion of the world's busiest websites. Its architecture is designed for high concurrency, low memory usage, and scalability. Beyond serving static and dynamic content, NGINX commonly functions as a reverse proxy, load balancer, HTTP cache, and API gateway. The software is developed and maintained by F5 Networks, which offers both the open source edition (NGINX Open Source) and a commercial version (NGINX Plus). F5 also integrates NGINX into its application delivery controllers (ADCs), web application firewalls (WAFs), and Kubernetes ingress controllers, extending the attack surface to many enterprise environments.

Given its critical role in modern web infrastructure, a vulnerability in NGINX carries outsized risk. Any flaw that can be exploited remotely and without authentication demands immediate attention, and CVE-2026-42945 fits that description.

Technical Breakdown of CVE-2026-42945

CVE-2026-42945 is a memory corruption vulnerability residing in the ngx_http_rewrite_module. This module handles URI rewriting using regular expressions. The flaw arises when a specific configuration pattern is present: a rewrite directive that uses an unnamed regex capture (denoted by $1, $2, etc.) and a replacement string containing a question mark, followed by another rewrite, if, or set directive.

Under these conditions, NGINX miscalculates the buffer size needed for the rewritten URI. The server computes the destination buffer using one set of escape assumptions but writes to it using a different set. The result is a deterministic heap buffer overflow. Crucially, the overflowed bytes are derived from the attacker-controlled URI, giving the attacker control over the corruption pattern. Repeated requests can crash worker processes repeatedly, leading to a sustained denial of service. In cases where address space layout randomization (ASLR) is disabled on the target—either by system configuration or through a separate exploit—an attacker may be able to leverage the controlled heap corruption to achieve arbitrary code execution.

The vulnerability affects NGINX Open Source versions 0.6.27 through 1.30.0, and NGINX Plus versions R32 through R36. It also impacts several F5 products that embed NGINX, such as NGINX Ingress Controller, F5 WAF for NGINX, and F5 DoS for NGINX. This wide range of affected versions means that many existing deployments are exposed.

Discovery and Proof of Concept

The vulnerability was uncovered by researchers at Depthfirst, a security company specializing in AI-driven vulnerability detection. They identified five security issues in NGINX using their automated platform; CVE-2026-42945 was deemed the most critical. After F5 released patches and a security advisory, Depthfirst published detailed technical analysis and a proof-of-concept exploit. This rapid disclosure—standard practice in the security community—allowed defenders to assess their risk but also gave attackers a clear roadmap.

Exploitation in the Wild

According to VulnCheck security researcher Patrick Garrity, the company's canary systems first detected exploitation attempts on May 16, just three days after the advisory and PoC were made public. The attempts were targeting internet-facing NGINX instances. While the exact number of compromised systems remains unclear, the speed of weaponization indicates that threat actors are actively scanning for vulnerable servers.

Not every NGINX server is vulnerable to code execution—only those running the specific rewrite configuration described above. However, the denial-of-service vector works on default configurations, enabling attackers to disrupt websites even without achieving RCE. VulnCheck's Censys scans revealed approximately 5.7 million internet-exposed NGINX servers running potentially vulnerable versions. The true number of exploitable instances is likely smaller, but still significant.

Impact and Risk Assessment

The most immediate impact of CVE-2026-42945 is denial of service. By sending a crafted HTTP request, an attacker can crash the NGINX worker process. If workers are configured to restart automatically, repeated requests can keep them in a perpetual crash loop, degrading or completely denying service for all sites served by that instance. For businesses that rely on NGINX for critical web operations, this can lead to revenue loss, reputational damage, and operational disruption.

The potential for remote code execution elevates the severity further. While it requires ASLR to be disabled—a condition that is not common but does occur in legacy environments, embedded systems, or container deployments where security hardening is lax—it is achievable. Attackers who can disable ASLR, either through another vulnerability or through misconfiguration, could gain full control of the NGINX server. This could lead to data theft, lateral movement within the network, or deployment of malware.

Patches and Mitigations

F5 has released patches for all affected product lines:

• NGINX Open Source versions 1.31.0 and 1.30.1
• NGINX Plus versions R36 P4 and R32 P6
• F5 WAF for NGINX version 5.13.0
• F5 DoS for NGINX version 4.9.0

As a temporary mitigation, administrators can replace unnamed regex captures with named captures in rewrite directives. Named captures (e.g., $name) do not trigger the buffer miscalculation. This configuration change can be applied without updating the NGINX binary, providing a quick workaround until patching is possible.

Major Linux distributions such as AlmaLinux, Ubuntu, and Debian have begun releasing updated nginx packages that incorporate the fix. Organizations using Linux package managers should check for and apply these updates promptly.

Recommendations for Administrators

Given the active exploitation, administrators should treat this vulnerability with urgency. The first step is to identify all NGINX instances in the environment, both on-premises and in cloud or containerized deployments. Check the version against the list of affected releases. If the server runs a vulnerable version, apply the update immediately. For NGINX Plus customers, the latest patch levels are available from the F5 support portal.

In cases where immediate patching is not feasible, implement the mitigation by reviewing all rewrite configurations and replacing unnamed captures with named ones. Additionally, consider restricting external access to NGINX management interfaces and enabling Web Application Firewall (WAF) rules that can detect and block exploit attempts. While the PoC is publicly available, signature-based detection may help until patches are deployed.

It is also recommended to enable ASLR on all servers where it is not already active. Kernel-level protections such as Exec-Shield or PaX can further mitigate the risk of code execution. Regularly scanning for internet-facing NGINX instances and monitoring for unusual crash patterns can provide early warning of exploitation attempts.

Broader Implications

The rapid exploitation of CVE-2026-42945 underscores the challenges of securing widely deployed web infrastructure components. NGINX's ubiquity means that a single vulnerability can affect millions of servers. The fact that the flaw was discovered through AI-assisted vulnerability research highlights the evolving nature of security testing. As detection tools become more powerful, the window between disclosure and exploitation may shrink further.

This incident also serves as a reminder that configuration complexity can introduce security risks. The rewrite module is a powerful feature, but its intricate interaction with buffer allocation created a subtle bug that evaded detection for years. Administrators should review their NGINX configurations for unnecessary complexities and ensure that security hardening best practices are consistently applied.

Finally, the involvement of major Linux distributions in releasing patched packages demonstrates the importance of a robust supply chain security. Organizations should verify that they are using updated, trusted packages and have processes in place to respond to future vulnerabilities in critical infrastructure software.

Source: Help Net Security News