Cybersecurity researchers have disclosed a critical heap buffer overflow vulnerability, codenamed NGINX Rift, impacting both NGINX Plus and NGINX Open Source. This severe flaw, discovered by depthfirst and tracked as CVE-2026-42945, remained undetected for an astonishing 18 years. The vulnerability carries a CVSS v4 score of 9.2, indicating a significant risk for remote code execution or denial-of-service (DoS) attacks through carefully crafted HTTP requests. NGINX serves as a high-performance web server and reverse proxy, making this vulnerability a widespread concern for internet infrastructure.
The NGINX Rift vulnerability resides within the ngx_http_rewrite_module and is triggered under specific conditions involving rewrite, if, or set directives followed by an unnamed Perl-Compatible Regular Expression (PCRE) capture, including a question mark in the replacement string. According to F5’s advisory, an unauthenticated attacker could exploit this by sending specially designed requests. This could lead to a heap buffer overflow within an NGINX worker process, potentially causing it to restart. In systems with Address Space Layout Randomization (ASLR) disabled, this heap overflow could pave the way for remote code execution.
NGINX Rift: A Deep Dive into the Critical Vulnerability
The NGINX Rift vulnerability (CVE-2026-42945) presents a significant threat due to its accessibility and potential impact. depthfirst stated that the exploit is reachable without authentication and can reliably trigger the heap overflow, leading to potential remote code execution within the NGINX worker process. The attacker-controlled URI dictates the data written past the allocation, allowing for shaped corruption rather than random memory manipulation. Furthermore, repeated exploitation could induce a crash loop in worker processes, degrading the availability of all websites served by the affected NGINX instance.
This critical flaw was responsibly disclosed on April 21, 2026, and has since been patched. The fixes are available in NGINX Plus R32 – R36 (introduced in R32 P6 and R36 P4) and NGINX Open Source versions 1.0.0 – 1.30.0 (introduced in 1.30.1 and 1.31.0). However, older versions of NGINX Open Source, specifically 0.6.27 – 0.9.7, are not planned for fixes. NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF, F5 DoS for NGINX, NGINX Gateway Fabric, and NGINX Ingress Controller also have corresponding patched versions addressing this and other related vulnerabilities.
Additional Vulnerabilities Patched in NGINX
In addition to the 18-year-old NGINX Rift, several other security vulnerabilities have been addressed in recent updates for NGINX Plus and NGINX Open Source. These include an excessive memory allocation flaw, a use-after-free issue, and an out-of-bounds read vulnerability, all of which could be exploited by remote, unauthenticated attackers under specific configurations.
Excessive Memory Allocation (CVE-2026-42946)
Tracked as CVE-2026-42946 with a CVSS v4 score of 8.3, this vulnerability affects the ngx_http_scgi_module and ngx_http_uwsgi_module. It could allow a remote, unauthenticated attacker with adversary-in-the-middle (AitM) capabilities to manipulate upstream server responses. This manipulation could lead to the disclosure of NGINX worker process memory or cause a restart when scgi_pass or uwsgi_pass directives are configured.
Use-After-Free (CVE-2026-40701)
The ngx_http_ssl_module contains a use-after-free vulnerability (CVE-2026-40701, CVSS v4 score: 6.3). This flaw allows a remote, unauthenticated attacker to achieve limited control over data modification or trigger a restart of the NGINX worker process. This exploit is possible when the ssl_verify_client directive is set to “on” or “optional,” and the ssl_ocsp directive is set to “on.”
Out-of-Bounds Read (CVE-2026-42934)
Lastly, CVE-2026-42934, with a CVSS v4 score of 6.3, impacts the ngx_http_charset_module. This out-of-bounds read vulnerability could permit a remote, unauthenticated attacker to disclose memory contents or force a worker process restart. The exploit requires specific configurations including the charset, source_charset, and charset_map directives, along with proxy_pass with buffering disabled (“off”).
Users are strongly advised to upgrade to the latest available versions of NGINX Plus and NGINX Open Source to ensure optimal protection against these identified risks. For organizations unable to immediately patch CVE-2026-42945, a temporary mitigation involves reconfiguring rewrite directives by replacing unnamed captures with named captures. The cybersecurity landscape continues to evolve, and ongoing vigilance and prompt patching remain crucial for maintaining secure web infrastructure.