As reported by Security Affairs, a critical heap buffer overflow vulnerability, named NGINX Rift and tracked as CVE-2026-42945, has been discovered in NGINX Plus and NGINX Open Source, remaining undetected for eighteen years.The vulnerability, with a CVSS v4 score of 9.2, resides in the ngx_http_rewrite_module and affects a significant portion of internet infrastructure due to NGINX's widespread use as a reverse proxy, load balancer, and more. NGINX Rift is triggered by a specific configuration pattern involving rewrite directives with unnamed PCRE capture groups and a question mark in the replacement string, followed by another directive. This leads to a heap overflow where the write operation extends beyond the allocated buffer, allowing attackers to control the memory corruption through crafted HTTP requests. Exploitation can lead to remote code execution or denial-of-service by crashing worker processes.The flaw affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus R32 through R36, along with various F5 and NGINX products. Patches were released on April 21, 2026. While no exploitation in the wild has been reported, immediate upgrades or configuration workarounds are recommended.Source: Security Affairs
Vulnerability Management
Critical ‘NGINX Rift’ vulnerability discovered, present for 18 years

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



