Full Report
An 18-year-old flaw in the NGINX open-source web server, discovered using an autonomous scanning system, can be exploited for denial of service and, under certain conditions, remote code execution. [...]
Analysis Summary
# Vulnerability: NGINX "Rift" Heap Buffer Overflow
## CVE Details
- **CVE ID:** CVE-2026-42945
- **CVSS Score:** 9.2 (Critical)
- **CWE:** CWE-122 (Heap-based Buffer Overflow)
## Affected Systems
- **Products:**
- NGINX Open Source
- NGINX Plus
- NGINX Instance Manager
- NGINX App Protect WAF / DoS
- NGINX Gateway Fabric
- NGINX Ingress Controller
- **Versions:**
- Open Source: 0.6.27 through 1.30.0
- Plus: R32 through R36
- (See full version list in Remediation section)
- **Configurations:** Systems utilizing both the `rewrite` and `set` directives within NGINX configurations, common in API gateways and reverse proxy setups.
## Vulnerability Description
The flaw exists in the `ngx_http_rewrite_module` due to inconsistent state handling within NGINX’s internal script engine. The engine processes rewrites in two passes: first, it calculates required memory; second, it copies the data.
When a rewrite contains a `?`, an `is_args` flag remains set. This causes NGINX to calculate the buffer size based on unescaped URI lengths, but subsequently write larger escaped data (converting characters like `+` and `&`). This discrepancy results in a heap buffer overflow.
## Exploitation
- **Status:** PoC available; demonstrated RCE in lab conditions (ASLR disabled). Reliable DoS confirmed by third parties.
- **Complexity:** High (for RCE); Low (for DoS).
- **Attack Vector:** Network (Unauthenticated HTTP requests).
## Impact
- **Confidentiality:** High (Potential for memory leakage or RCE).
- **Integrity:** High (Potential for RCE if memory protections are bypassed).
- **Availability:** High (Trivial and reliable DoS by crashing worker processes).
## Remediation
### Patches
Update to the following versions or higher:
- **NGINX Open Source:** 1.31.0 or 1.30.1
- **NGINX Plus:** R36 P4 or R32 P6
- **NGINX Instance Manager:** 2.21.2
- **NGINX Gateway Fabric:** 1.6.3, 2.5.2
- **NGINX Ingress Controller:** 3.7.3, 4.0.2, 5.4.2
### Workarounds
If upgrading is not immediately possible, F5 recommends replacing **unnamed PCRE capture groups** (e.g., `$1`, `$2`) with **named captures** in vulnerable `rewrite` rules. This modification eliminates the primary prerequisite for the exploit.
## Detection
- **Indicators of Compromise:** Monitor for frequent crashes of NGINX worker processes (SIGSEGV) followed by the master process spawning new workers.
- **Detection Methods:**
- Review NGINX configuration files for concurrent use of `rewrite` and `set` directives.
- Inspect error logs for unusual memory-related errors or repeated worker restarts.
- Security posture scanning for vulnerable NGINX version headers.
## References
- **F5 Security Advisory:** hxxps[://]my[.]f5[.]com/manage/s/article/K000161019
- **DepthFirst Research:** hxxp[://]depthfirst[.]com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
- **AlmaLinux Advisory:** hxxps[://]almalinux[.]org/blog/2026-05-13-nginx-rift-cve-2026-42945/