NGINX Rift CVE-2026-42945 Exploited After Disclosure, Putting Rewrite-Heavy Edge Servers at Risk
NGINX Rift is not dangerous because every NGINX server is automatically exploitable. It is dangerous because the vulnerable pattern sits in a place defenders often treat as plumbing: rewrite logic at the edge.
The flaw, tracked as CVE-2026-42945, has now reportedly seen exploitation attempts in the wild just days after public disclosure. For security teams, the operational question is no longer whether the bug is interesting. It is whether exposed NGINX estates have already been inventoried, patched, and checked for risky rewrite configurations.
What happened
CVE-2026-42945 is a heap buffer overflow in NGINX’s ngx_http_rewrite_module, the module commonly used to rewrite URLs, route requests, preserve request paths, and shape traffic before it reaches backend applications.
F5’s advisory describes the vulnerable condition as a specific rewrite pattern: a rewrite directive followed by another rewrite, if, or set directive, where an unnamed PCRE capture such as $1 or $2 is used with a replacement string containing a question mark. Under those conditions, a crafted HTTP request can trigger heap corruption in an NGINX worker process.
The vulnerability affects NGINX Open Source versions 0.6.27 through 1.30.0, with fixes listed in 1.30.1 and 1.31.0. AlmaLinux maintainers also reported that NGINX Plus R32 through R36 are affected. The issue carries a CVSS v4 score of 9.2, placing it in critical territory.
Why the exploitation reports matter
The Hacker News reported on May 17, 2026, citing VulnCheck, that exploitation attempts had been observed against honeypot infrastructure shortly after disclosure. The end goal of the observed activity was not publicly confirmed, but the timing is the important part: attackers appear to be moving quickly from advisory reading to internet-facing probing.
That does not mean every exposed NGINX instance is a guaranteed remote code execution target. This bug depends on both version and configuration. The vulnerable rewrite pattern has to be present, and reliable code execution is materially harder when Address Space Layout Randomization is enabled. F5 and oss-sec reporting state that exploitation may crash the NGINX worker process, while code execution is possible on systems where ASLR is disabled.
For defenders, that distinction matters. The practical risk is not just theoretical RCE. A repeatable worker crash against edge infrastructure can still become a denial-of-service condition, especially where NGINX sits in front of authentication portals, APIs, ingress controllers, payment flows, or customer-facing applications.
What makes NGINX Rift stand out
The uncomfortable part of CVE-2026-42945 is its age and location. Public research and downstream advisories describe the bug as roughly 18 years old, introduced around 2008, and present in a module included in standard NGINX builds.
The technical failure is a mismatch between how NGINX calculates a destination buffer and how it later writes escaped data into that buffer. In vulnerable rewrite chains, certain characters can expand during escaping, causing the write operation to run past the allocated heap buffer. That is exactly the kind of edge-case memory bug that can remain invisible for years because the dangerous condition depends on configuration, request shape, and internal parser state lining up.
This is why asset inventory alone is not enough. A scanner that only says “NGINX present” is useful, but incomplete. Defenders need to know which versions are deployed, where rewrite rules are used, and whether unnamed captures such as $1 or $2 appear in the risky pattern described by F5.
Affected systems and fixes
Organizations should prioritize internet-facing NGINX systems first, especially reverse proxies, API gateways, ingress controllers, load balancers, and systems where NGINX terminates or routes external HTTP traffic.
The most direct remediation is to upgrade to fixed releases. NGINX Open Source users should move to 1.30.1 or 1.31.0 where applicable. F5 customers should review the vendor advisory for affected NGINX Plus and related product versions, including NGINX Instance Manager, NGINX Ingress Controller, NGINX Gateway Fabric, and NGINX App Protect components where deployed.
Where patching cannot happen immediately, configuration review becomes the emergency control. Security teams should search NGINX configurations for rewrite rules that combine unnamed captures such as $1 or $2, replacement strings containing ?, and following rewrite, if, or set directives in the same scope. Replacing unnamed captures with safer named captures may reduce exposure, but should not be treated as a substitute for patching.
Defender actions to take now
Start with exposed NGINX assets, then move inward. Confirm the deployed version, identify whether vulnerable rewrite patterns exist, and check whether ASLR is enabled on affected hosts. Teams should also review error logs and process supervision telemetry for abnormal NGINX worker crashes beginning around the disclosure window of May 13, 2026.
Detection should focus less on a single static indicator and more on behavior: unusual URI patterns, heavily encoded request paths, repeated requests targeting rewrite-heavy locations, unexplained worker restarts, and spikes in 4xx or 5xx responses around specific routes. Public reporting has not established a universal attacker infrastructure set or payload family tied to this activity, so defenders should avoid waiting for perfect IOCs.
NeuraCyb's Assessment
NGINX Rift is a reminder that edge configuration is attack surface, not housekeeping. The exploitability may depend on a specific rewrite pattern, but that pattern lives exactly where many production environments accumulate years of redirects, migrations, API routing shortcuts, and legacy compatibility rules. Patch quickly, but do not stop there: the real cleanup is knowing what your edge servers are actually doing with every request before the application ever sees it.
References
F5 Advisory: NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945
oss-sec: NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945
AlmaLinux: NGINX Rift CVE-2026-42945 Patches Released
Picus: NGINX Rift CVE-2026-42945 Critical Heap Buffer Overflow Vulnerability Explained
Security Affairs: NGINX Rift 18-year-old flaw coverage
The Hacker News: CVE-2026-42945 reportedly exploited in the wild
