Vulnerability Response · Last verified 2026-05-16

NGINX Rift (CVE-2026-42945): Self-Check Guide

On May 13, 2026, F5 and depthfirst disclosed CVE-2026-42945. It's a critical heap buffer overflow in NGINX's ngx_http_rewrite_module that's been hiding in the codebase for 18 years (since 2008). CVSS v4: 9.2 CRITICAL. An unauthenticated attacker can crash your NGINX worker or, when ASLR is disabled, get remote code execution with a crafted HTTP request. Public technical details are already circulating. Check exposure and patch quickly.

TL;DR

What: heap buffer overflow in ngx_http_rewrite_module. Triggered by rewrite with unnamed captures ($1, $2) plus a ? in the replacement string, followed by rewrite, if, or set.
Impact: DoS (worker crash loop) on all systems. RCE when ASLR is off.
Affected: NGINX Open Source 0.6.27 to 1.30.0, NGINX Plus R32 to R36, plus NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and F5 WAF for NGINX.
Fix: upgrade to NGINX 1.30.1 / 1.31.0, or NGINX Plus R32 P6 / R36 P4. Restart after patching.
Workaround: replace unnamed captures ($1) with named captures ($path) in vulnerable rewrite directives.
Wild exploitation: none confirmed as of 2026-05-16, but public technical details increase exposure risk.
Free scanner: nginx-rift-detector on GitHub. Checks version + config + access logs in 30 seconds.

Step 1: Check your NGINX version

SSH into the server and run:

nginx -v 2>&1

Output looks like:

nginx version: nginx/1.26.2

Compare against the fix versions:

Product	Vulnerable	Fixed
NGINX Open Source (stable)	0.6.27 to 1.30.0	1.30.1
NGINX Open Source (mainline)	0.6.27 to 1.30.0	1.31.0
NGINX Plus	R32 to R36	R32 P6 / R36 P4
NGINX Ingress Controller	3.5.0 to 5.4.1	See F5 advisory
NGINX Gateway Fabric	1.3.0 to 2.5.1	See F5 advisory

Below 1.30.1 means you're running vulnerable code. On to Step 2 to check whether your actual config triggers the vulnerable path.

Step 2: Audit your rewrite configuration

The bug only fires when a specific rewrite pattern is present. Search all your NGINX config files for the dangerous pattern:

# Find rewrite directives that use unnamed captures + ? in replacement
grep -rn 'rewrite.*\$[0-9].*?' /etc/nginx/ 2>/dev/null

# Then check whether any of those blocks also contain set, if, or another rewrite
# in the same location/server block

A vulnerable config looks like this:

location /old/ {'{'}
    rewrite ^/old/(.*)$ /new?path=$1 break;
    set $original_path $1;   # <-- triggers the is_args mismatch
{'}'}

If you find this pattern, you're exploitable. Patch (Step 3) or apply the workaround (Step 4).

If you don't find this pattern, you're still running vulnerable code but the specific trigger isn't there. You should still patch. Urgency is lower.

Step 3: Patch

Ubuntu / Debian

sudo apt update && sudo apt install --only-upgrade nginx
nginx -v   # confirm >= 1.30.1
sudo systemctl restart nginx

RHEL / AlmaLinux / Rocky

sudo dnf update nginx
nginx -v   # confirm >= 1.30.1
sudo systemctl restart nginx

From source / Docker

# Download 1.30.1 or 1.31.0 from https://nginx.org/en/download.html
# Rebuild and restart. For Docker, update your base image tag.

Critical: you have to restart NGINX after upgrading. Package upgrade alone doesn't replace the in-memory binary of running worker processes. Until you restart, the old vulnerable code is still loaded. If a scan still reports the old version after patching, check the running workers before assuming the upgrade failed.

Step 4: Workaround if you can't patch yet

Swap unnamed captures for named captures in every affected rewrite directive:

# BEFORE (vulnerable):
rewrite ^/old/(.*)$ /new?path=$1 break;
set $original_path $1;

# AFTER (safe):
rewrite ^/old/(?<mypath>.*)$ /new?path=$mypath break;
set $original_path $mypath;

Reload: sudo nginx -t && sudo systemctl reload nginx

Named captures take a different code path in the rewrite engine, so the is_args length mismatch never triggers.

Step 5: Check access logs for exploitation

No specific IOCs have been published by F5 or depthfirst yet. Exploitation requires heavily encoded or unusual URIs hitting rewrite endpoints, so look for these patterns:

# Unusually long URIs hitting rewrite paths
awk 'length($7) > 2000' /var/log/nginx/access.log | tail -20

# Heavy percent-encoding in URI (exploit needs escapable bytes)
grep -cP '%[0-9a-fA-F]{'{'}2{'}'}.*%[0-9a-fA-F]{'{'}2{'}'}.*%[0-9a-fA-F]{'{'}2{'}'}' /var/log/nginx/access.log

# Unexpected worker restarts (crash loop = active exploitation)
grep 'worker process' /var/log/nginx/error.log | grep -i 'exit\|signal\|abort' | tail -20

Frequent worker restarts with signal 6 (SIGABRT) or signal 11 (SIGSEGV) in the error log are a strong indicator of heap corruption. Treat repeated crashes as possible probing or exploitation until logs prove otherwise.

Step 6: Use the free automated scanner

We published an open-source detection script that automates Steps 1, 2, and 5:

curl -sSL https://raw.githubusercontent.com/limo57640-crypto/nginx-rift-detector/main/detect.sh | sudo bash

The scanner runs:

NGINX version (vulnerable vs. fixed).
Rewrite config audit (finds the exact dangerous pattern).
Access log anomaly scan (long URIs, heavy encoding).
Error log analysis (worker crash signals).
ASLR status (/proc/sys/kernel/randomize_va_space).
NGINX user privilege check.

Output is CLEAN, VULNERABLE, or SUSPICIOUS.

Source: github.com/limo57640-crypto/nginx-rift-detector

Related CVEs in the same disclosure (May 13, 2026)

CVE	CVSS v4	Module	Type
CVE-2026-42945	9.2	rewrite	Heap overflow - RCE
CVE-2026-42946	8.3	SCGI / uWSGI	Memory alloc - info leak / DoS
CVE-2026-40701	6.3	SSL	Use-after-free - DoS
CVE-2026-42934	6.3	charset	OOB read - info leak

The scanner above checks CVE-2026-42945 specifically. For the other three, the fix is the same: upgrade to NGINX 1.30.1+ / 1.31.0+ and restart.

Who should care

Hosting providers running NGINX as a reverse proxy for customer sites.
Kubernetes operators using NGINX Ingress Controller (versions 3.5.0 to 5.4.1).
WordPress / WooCommerce sites behind NGINX with custom rewrite rules.
CDN / load balancer operators using NGINX Plus.
Anyone running NGINX. The rewrite module is on by default and the vulnerable pattern shows up in a lot of production configs.

Timeline

Date	Event
2008	Vulnerable code introduced in NGINX.
2026-04-21	depthfirst responsibly discloses to F5.
2026-05-13	F5 publishes advisory + patches. depthfirst publishes research.
2026-05-13	Public PoC exploit appears on GitHub.
2026-05-14	AlmaLinux ships patched nginx packages.
2026-05-16	No confirmed wild exploitation yet. This may change.

Need help?

If the scanner output shows VULNERABLE or SUSPICIOUS and you're not confident patching yourself:

Free: reply to the scanner output in our GitHub Issues and we'll tell you if it looks exploitable.
$49 Quick Patch Call: 30-minute screenshare. We patch your NGINX, audit the rewrite rules, and check logs together. Book here.
$199 Full NGINX Security Audit: complete review of NGINX configuration, TLS setup, rate limiting, and all four May 2026 CVEs. Details.