NGINX Rift: 18-Year-Old Heap Overflow Enables RCE on Web Servers

A critical heap buffer overflow in NGINX sat undetected for 18 years, affecting every version of the world's most widely deployed web server since 0.6.27. Security researchers at depthfirst disclosed CVE-2026-42945—dubbed NGINX Rift—on May 14, 2026, with a CVSS v4 score of 9.2.

The vulnerability allows unauthenticated remote attackers to crash NGINX worker processes or, on systems without ASLR, achieve full remote code execution through a single crafted HTTP request. A proof-of-concept is now public on GitHub.

Technical Breakdown

The flaw lives in ngx_http_rewrite_module and triggers under specific configuration patterns. When a rewrite directive uses unnamed PCRE capture groups ($1, $2 syntax) with a question mark in the replacement string, followed by another rewrite, if, or set directive in the same scope, NGINX miscalculates buffer sizes.

The root cause: NGINX computes the destination buffer using one set of escaping assumptions but writes to it using another. Characters like +, %, and & each expand by two bytes during URI escaping. The bytes written past the allocation derive from the attacker's URI, making the corruption attacker-controlled rather than random.

A vulnerable configuration looks like this:

location /redirect {
    rewrite ^/redirect/([0-9]+)$ /page?id=$1 last;
    if ($arg_debug) {
        # Second directive in same scope triggers the bug
        set $debug_mode 1;
    }
}

Exploitation Paths

Denial of Service: Trivial and reliable. One TCP connection, two packets, no authentication, no special headers—the targeted worker crashes immediately. NGINX respawns workers, but an attacker can sustain pressure to degrade service availability.

Remote Code Execution: More complex but achievable on systems using the Apache Portable Runtime with mmap allocator (default on Debian and official Docker images). Researchers demonstrated placing fake h2_stream structures at freed memory addresses, redirecting pool cleanup functions to system(). The depthfirst research includes a working PoC for controlled environments.

Massive Attack Surface

The vulnerability affects:

• NGINX Open Source: Versions 0.6.27 through 1.30.0
• NGINX Plus: R32 through R36
• NGINX Instance Manager: 2.16.0 through 2.21.1
• F5 WAF for NGINX: 5.9.0 through 5.12.1
• NGINX App Protect WAF: 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0
• NGINX Gateway Fabric and Ingress Controller: Multiple versions

According to W3Techs data, NGINX powers roughly 34% of all websites globally. Organizations running older configurations accumulated over years of incremental changes face the highest exposure.

Mitigation Without Downtime

If immediate patching isn't possible, convert unnamed captures to named captures in your rewrite rules. This eliminates the vulnerable code path without requiring restarts:

# Before (vulnerable):
rewrite ^/users/([0-9]+)$ /profile.php?id=$1 last;

# After (safe):
rewrite ^/users/(?<user_id>[0-9]+)$ /profile.php?id=$user_id last;

This workaround was validated by the researchers and F5's security team.

Patch Information

• NGINX Open Source: Upgrade to 1.30.1 or 1.31.0
• NGINX Plus R36: Apply R36 P4
• NGINX Plus R32: Apply R32 P6

Three companion CVEs were disclosed alongside NGINX Rift:

• CVE-2026-42946 (CVSS 8.3): Memory allocation flaw in scgi/uwsgi modules
• CVE-2026-40701 (CVSS 6.3): Use-after-free in SSL module
• CVE-2026-42934 (CVSS 6.3): Out-of-bounds read in charset module

Why This Matters

An 18-year-old bug in foundational internet infrastructure is a sobering reminder that time doesn't equal security. The rewrite module is heavily used for URL routing, redirects, and access control—configurations that often accumulate complexity without regular audit.

This disclosure follows a pattern of critical web server vulnerabilities this month. Security teams should prioritize reviewing externally-facing NGINX configurations, especially those migrated from older deployments. For those unfamiliar with web server hardening, our online safety tips guide covers foundational security practices.