Critical NGINX Vulnerability Exploited in the Wild
A critical vulnerability in the widely used NGINX web server, tracked as CVE-2026-42945 and nicknamed "NGINX Rift," is now being actively exploited by attackers. The flaw, which was disclosed just over a week ago, allows unauthenticated remote attackers to trigger a denial-of-service (DoS) condition and, under certain circumstances, achieve remote code execution (RCE). According to security researchers, exploitation attempts have been detected in the wild since mid-May, shortly after technical details and a proof-of-concept (PoC) exploit were made public.
Understanding NGINX's Critical Role
NGINX is one of the most ubiquitous pieces of software on the internet. Originally created as a high-performance web server, it has evolved into a multi-faceted tool used for load balancing, reverse proxying, HTTP caching, and even as an API gateway. Its architecture, which uses event-driven, asynchronous processing, allows it to handle thousands of concurrent connections with minimal resource consumption. This efficiency has made NGINX the backbone of many high-traffic websites, streaming services, and cloud platforms. According to recent surveys, NGINX powers over 30% of all active websites, making it the most widely deployed web server today. The software is also embedded in numerous commercial products, including F5's application delivery controllers, security solutions, and Kubernetes ingress controllers. Given its pervasive presence, any critical vulnerability in NGINX has the potential to disrupt a massive portion of the internet.
Technical Details of CVE-2026-42945
The vulnerability resides in the ngx_http_rewrite_module, a core component that handles URL rewriting rules. The issue is a memory corruption bug that occurs when a specific configuration pattern is present: a rewrite directive using an unnamed regex capture (like $1 or $2) combined with a replacement string containing a question mark, followed by another rewrite, if, or set directive. Under these conditions, NGINX miscalculates the required memory buffer size, leading to a heap-based buffer overflow when processing a crafted HTTP request.
Researchers who discovered the vulnerability explain that the calculation of the destination buffer uses one set of escaping assumptions, while the actual write operation uses another. The result is that the write proceeds past the allocated boundary, overwriting adjacent heap memory. Critically, the overflow bytes are derived from the attacker-controlled URI, giving the attacker deterministic control over the corruption pattern. This makes the vulnerability both reliable and repeatable, a dangerous combination for exploit development.
Exploitation in Practice
The proof-of-concept exploit developed by the Depthfirst research team demonstrates two attack vectors. First, a straightforward DoS attack: by repeatedly sending specially crafted requests, an attacker can crash NGINX worker processes, leading to service disruption. On default NGINX installations, achieving this denial of service is trivial. Second, the researchers showed that if address space layout randomization (ASLR) is disabled on the target server, the same vulnerability can be leveraged for arbitrary code execution. While disabling ASLR is not a default configuration, some organizations may disable it for compatibility reasons or on older systems, making them susceptible to full remote compromise.
Security intelligence from VulnCheck's canary systems flagged active exploitation attempts beginning May 16, 2026, just three days after the vulnerability and PoC went public. The observed scans targeted a wide range of IP addresses, suggesting opportunistic scanning rather than targeted attacks. However, not all NGINX installations are vulnerable; the attack only works if the server is running a specific rewrite configuration pattern. Censys scans reveal roughly 5.7 million internet-exposed NGINX servers running potentially vulnerable versions, though the truly exploitable subset is likely much smaller.
Affected Versions and Products
CVE-2026-42945 impacts a wide range of NGINX releases. For NGINX Open Source, versions from 0.6.27 up to and including 1.30.0 are vulnerable. NGINX Plus versions R32 through R36 are also affected. Additionally, several F5 products that embed NGINX are vulnerable: NGINX Ingress Controller, F5 WAF for NGINX, and F5 DoS for NGINX, among others. The vulnerability was one of five security issues disclosed by Depthfirst, but it stands out as the most critical due to its potential for code execution.
Patches and Mitigations
F5 has released fixed versions to address the vulnerability. NGINX Open Source users should update to versions 1.31.0 or 1.30.1. NGINX Plus customers are advised to upgrade to R36 P4 or R32 P6. For F5 NGINX-based products, patches are available: WAF for NGINX v5.13.0 and DoS for NGINX v4.9.0. In addition to patching, F5 provided a mitigation that does not require a full upgrade: administrators can replace unnamed regex captures (like $1, $2) with named captures (like $name) in their rewrite directives. This simple change prevents the buffer miscalculation from occurring.
Major Linux distributions have begun rolling out patched NGINX packages. AlmaLinux, Debian, and Ubuntu have all released updates to their repositories. Administrators are strongly urged to apply patches immediately, especially for internet-facing servers. Given that exploitation is already active, delays in patching could result in service outages or, in the worst case, server compromise.
Impact and Additional Context
The widespread use of NGINX means that even a moderate success rate for this exploit could cause significant disruption. A DoS attack against a large content delivery network or a cloud provider could affect thousands of websites simultaneously. The vulnerability also highlights a broader trend: memory corruption bugs in widely deployed software continue to be a primary vector for both attackers and researchers. The use of AI-native vulnerability detection platforms, as employed by Depthfirst, is increasingly uncovering such deep-seated flaws that might otherwise go unnoticed.
Security researchers have noted that the exploit attempts observed so far are initial scans, likely searching for vulnerable configurations. Future waves of attacks may become more sophisticated, potentially incorporating ASLR bypass techniques or chaining the bug with other vulnerabilities. The cybersecurity community is closely monitoring the situation, and threat intelligence firms are sharing indicators of compromise to help defenders detect and block attacks.
For organizations using NGINX, this incident serves as a stark reminder of the importance of staying current with security updates, especially for foundational infrastructure components. A single unpatched web server can become an entry point for broader network intrusion. The fact that the vulnerability requires a specific configuration does not reduce its criticality, as many production environments inevitably use rewrite rules with unnamed captures. Administrators should audit their NGINX configurations and apply both the mitigation (using named captures) and the official patch as soon as possible.
As of late May 2026, the exploit code is publicly available, and weaponized versions may be integrated into botnets or ransomware toolkits. The race between attackers patching and exploiting is already underway, and the outcome will largely depend on how quickly organizations respond. The NGINX ecosystem, from individual webmasters to large-scale cloud providers, must act decisively to prevent CVE-2026-42945 from becoming a major incident.
Source: Help Net Security News