Vulnerability Management

Critical ‘NGINX Rift’ vulnerability discovered, present for 18 years

(Adobe Stock)

As reported by Security Affairs, a critical heap buffer overflow vulnerability, named NGINX Rift and tracked as CVE-2026-42945, has been discovered in NGINX Plus and NGINX Open Source, remaining undetected for eighteen years.

The vulnerability, with a CVSS v4 score of 9.2, resides in the ngx_http_rewrite_module and affects a significant portion of internet infrastructure due to NGINX's widespread use as a reverse proxy, load balancer, and more. NGINX Rift is triggered by a specific configuration pattern involving rewrite directives with unnamed PCRE capture groups and a question mark in the replacement string, followed by another directive. This leads to a heap overflow where the write operation extends beyond the allocated buffer, allowing attackers to control the memory corruption through crafted HTTP requests. Exploitation can lead to remote code execution or denial-of-service by crashing worker processes.

The flaw affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus R32 through R36, along with various F5 and NGINX products. Patches were released on April 21, 2026. While no exploitation in the wild has been reported, immediate upgrades or configuration workarounds are recommended.

Source: Security Affairs

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds