CVE Watch · Last verified 2026-05-16
NGINX Rift: 18-Year-Old RCE Hiding in 1/3 of the Internet
On May 13, 2026, F5 and depthfirst disclosed CVE-2026-42945 — a critical heap buffer
overflow in NGINX's ngx_http_rewrite_module that has been in the codebase
since 2008. CVSS v4: 9.2 CRITICAL. A single crafted HTTP
request can crash your NGINX worker or achieve remote code execution when ASLR is off.
A public proof-of-concept exploit is already on GitHub. No wild exploitation confirmed yet —
but the window is closing fast.
Verified facts
- CVE-2026-42945 — heap buffer overflow in
ngx_http_rewrite_moduletriggered byrewrite+ unnamed captures ($1) +?in replacement +set/if. CVSS v4 9.2 (Critical). - 18-year-old bug: introduced in NGINX source in 2008. Discovered by depthfirst's autonomous AI security analysis system.
- Affected: NGINX Open Source 0.6.27–1.30.0, NGINX Plus R32–R36, NGINX Ingress Controller 3.5.0–5.4.1, NGINX Gateway Fabric 1.3.0–2.5.1, and more F5/NGINX products.
- Impact surface: NGINX powers roughly 1/3 of all websites globally. The vulnerable
rewrite+setpattern is extremely common in production configs. - Public PoC: full RCE exploit available on GitHub since May 13. Tested on Ubuntu 24.04.
- Wild exploitation: none confirmed as of 2026-05-16, but researchers warn "that window will not stay open indefinitely."
- Patch: NGINX 1.30.1 (stable), 1.31.0 (mainline), NGINX Plus R32 P6 / R36 P4.
- Disclosed alongside: CVE-2026-42946 (CVSS 8.3), CVE-2026-40701 (CVSS 6.3), CVE-2026-42934 (CVSS 6.3) — all fixed in the same upgrade.
How the exploit works
NGINX's rewrite engine uses a two-pass process: first it computes the required buffer size,
then it copies data into that buffer. The is_args flag is set on the main engine
when a rewrite replacement contains ?, but the length-calculation pass runs on a
freshly zeroed sub-engine where is_args = 0.
- Length pass:
is_args = 0→ calculates raw capture length (too small) - Copy pass:
is_args = 1→ngx_escape_uriexpands each escapable byte to 3 bytes
The copy overflows the undersized heap buffer with attacker-controlled URI data. The PoC uses
cross-request heap feng shui (POST bodies) to corrupt an adjacent ngx_pool_t's
cleanup pointer, redirecting it to invoke system() on pool destruction.
Who should care
- Hosting providers running NGINX as a reverse proxy for customer sites — RCE grants access to every customer web root
- Kubernetes operators using NGINX Ingress Controller (3.5.0–5.4.1)
- WordPress / WooCommerce sites behind NGINX with custom rewrite rules
- CDN and load balancer operators using NGINX Plus
- Anyone running NGINX — the rewrite module is enabled by default
Workaround (if you cannot patch immediately)
Replace unnamed captures with named captures in all affected rewrite directives:
# BEFORE (vulnerable):
rewrite ^/old/(.*)$ /new?path=$1 break;
set $original_path $1;
# AFTER (safe):
rewrite ^/old/(?<mypath>.*)$ /new?path=$mypath break;
set $original_path $mypath;Then reload: sudo nginx -t && sudo systemctl reload nginx
Free resources
- Self-check guide — 6-step walkthrough: version check → config audit → patch → workaround → log analysis → automated scanner
- Open-source scanner — Bash script: checks version, rewrite config, access logs, error logs, ASLR, privileges. Output: CLEAN / VULNERABLE / SUSPICIOUS.
Need help fixing this vulnerability?
Professional remediation by the same team that tracks these threats.