Full Report
Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a
Analysis Summary
# Vulnerability: NGINX Rift - Critical Heap Buffer Overflow in Rewrite Module
## CVE Details
- **CVE ID:** CVE-2026-42945
- **CVSS Score:** 9.2 (Critical)
- **CWE:** CWE-122 (Heap-based Buffer Overflow)
## Affected Systems
- **Products:** NGINX Plus, NGINX Open Source, NGINX Instance Manager, NGINX App Protect (WAF/DoS), NGINX Gateway Fabric, NGINX Ingress Controller.
- **Versions:**
- **NGINX Open Source:** 1.0.0 through 1.30.0; 0.6.27 through 0.9.7.
- **NGINX Plus:** R32 through R36.
- **NGINX Instance Manager:** 2.16.0 - 2.21.1.
- **NGINX App Protect WAF:** 4.9.0 - 4.16.0; 5.1.0 - 5.8.0.
- **Configurations:** The vulnerability is triggered when a `rewrite` directive is followed by a `rewrite`, `if`, or `set` directive, and an unnamed Perl-Compatible Regular Expression (PCRE) capture (e.g., `$1`, `$2`) is used with a replacement string containing a question mark (`?`).
## Vulnerability Description
Codenamed **NGINX Rift**, this is an 18-year-old heap buffer overflow flaw residing in the `ngx_http_rewrite_module`. The vulnerability occurs during the processing of crafted HTTP requests where the URI interacts with specific rewrite configurations. Because the bytes written past the buffer allocation are derived from the attacker-supplied URI, the memory corruption is "shaped" by the attacker rather than random.
## Exploitation
- **Status:** PoC availability confirmed by researchers (depthfirst); no widespread exploitation in the wild reported yet.
- **Complexity:** Medium (Successful RCE requires bypassing ASLR).
- **Attack Vector:** Network (Unauthenticated remote).
## Impact
- **Confidentiality:** High (Potential for RCE and data exfiltration).
- **Integrity:** High (Potential for RCE).
- **Availability:** High (Can cause worker process crashes leading to Denial of Service).
## Remediation
### Patches
Update to the following versions or higher:
- **NGINX Open Source:** 1.30.1 or 1.31.0.
- **NGINX Plus:** R32 P6 or R36 P4.
- **NGINX Ingress Controller:** 3.7.3, 4.0.2, or 5.4.2 (and subsequent branches).
### Workarounds
If patching is not immediate, audit NGINX configuration files and **replace all unnamed captures with named captures** in every affected `rewrite` directive.
## Detection
- **Indicators of Compromise:** Monitor for frequent NGINX worker process restarts (segmentation faults) in error logs.
- **Detection methods:** Static analysis of NGINX configuration files to identify the specific pattern of unnamed PCRE captures followed by a `?` in replacement strings.
## References
- **F5 Advisory:** hxxps[://]my[.]f5[.]com/manage/s/article/K000161019
- **Researcher Disclosure:** hxxps[://]depthfirst[.]com/nginx-rift
- **The Hacker News:** hxxps[://]thehackernews[.]com/2026/05/18-year-old-nginx-rewrite-module-flaw[.]html