A critical vulnerability in the widely used NGINX web server software is being actively exploited in the wild, just days after a proof-of-concept exploit was made public. The flaw, tracked as CVE-2026-42945 and nicknamed NGINX Rift, poses a significant threat to a large portion of the internet's infrastructure due to NGINX's massive deployment as a web server, reverse proxy, load balancer, and HTTP cache.

The vulnerability was disclosed last week by F5, the company overseeing NGINX development. Security researchers from Depthfirst discovered the issue using an AI-native vulnerability detection platform, and they subsequently released technical details and a working proof-of-concept exploit. According to VulnCheck security researcher Patrick Garrity, their canary systems began flagging exploitation attempts on May 16, three days after the public disclosure. This rapid turnaround from disclosure to active exploitation highlights the attractiveness of such a high-impact vulnerability to threat actors.

Technical Details of CVE-2026-42945

CVE-2026-42945 is a memory corruption vulnerability that affects NGINX Open Source (versions 0.6.27 through 1.30.0) and NGINX Plus (versions R32 through R36). It also impacts several F5 products that integrate NGINX, including NGINX Ingress Controller and F5 WAF for NGINX. The root cause lies in the ngx_http_rewrite_module. A bug occurs when a rewrite directive uses an unnamed regex capture (such as $1 or $2) and the replacement string contains a question mark, followed by another rewrite, if, or set directive. In this specific configuration pattern, NGINX miscalculates the destination buffer size due to inconsistent escaping assumptions. The resulting write operation overruns the allocated buffer, causing deterministic memory corruption. Critically, the bytes written are derived from the attacker's URI, meaning the corruption can be shaped by the attacker rather than being random.

This memory corruption can be reliably triggered by sending a specially crafted HTTP request. In default configurations, an unauthenticated attacker can cause a denial-of-service (DoS) condition by crashing NGINX worker processes. Repeated requests can keep workers in a crash loop, effectively taking down all sites served by that instance. For code execution, the attacker needs to bypass modern memory protections. While ASLR (Address Space Layout Randomization) typically prevents exploitation for code execution, security researchers note that if an attacker can disable ASLR on the target server (e.g., through another vulnerability or misconfiguration), achieving remote code execution becomes feasible. The VulnCheck team emphasized that not every NGINX instance is vulnerable; exploitation requires the specific rewrite configuration pattern to be present.

Scale of Impact

NGINX is the most widely deployed web server globally, powering millions of websites. According to VulnCheck's Censys queries, roughly 5.7 million internet-exposed NGINX servers are running a potentially vulnerable version. However, the truly exploitable population is likely a smaller subset due to the specific configuration requirement. Nonetheless, even a fraction of that number represents a massive attack surface. Organizations using NGINX as a reverse proxy or load balancer, especially in cloud-native environments, are at heightened risk. The vulnerability also affects F5's application delivery and security solutions, further expanding the potential victim pool.

Mitigation and Patching

F5 has released patches for all affected versions. Fixed versions include NGINX Open Source 1.31.0 and 1.30.1, NGINX Plus R36 P4 and R32 P6, F5 WAF for NGINX v5.13.0, and F5 DoS for NGINX v4.9.0. Additionally, F5 provided a mitigation for those unable to patch immediately: using named captures instead of unnamed captures in rewrite definitions. Linux distributors such as AlmaLinux, Ubuntu, and Debian have also begun shipping patched nginx packages. Security experts strongly urge all administrators to prioritize patching, given the active exploitation and the potential for DoS attacks to disrupt critical services.

The disclosure of CVE-2026-42945 came alongside four other security issues in NGINX, but this memory corruption bug stands out for its severity. The combination of easy exploitability (for DoS), potential for code execution, and the ubiquity of NGINX makes it a high-priority threat for defenders. The incident also underscores the importance of configuration hygiene; many NGINX instances running vulnerable configurations could have been protected by avoiding the specific rewrite pattern. As exploitation continues, organizations should also monitor for unusual HTTP requests targeting their NGINX servers and consider deploying web application firewalls to filter malicious traffic.

The vulnerability has drawn comparisons to past high-profile NGINX flaws, such as CVE-2021-23017, but the deterministic nature of this bug and its potential for RCE make it particularly dangerous. Depthfirst researchers utilized AI-based vulnerability detection to identify the issue, marking a growing trend in cybersecurity where machine learning aids in finding subtle memory corruption bugs. They published technical details and a proof-of-concept exploit after F5 released fixes, following responsible disclosure practices. However, the quick exploitation demonstrates that such transparency also accelerates adversary adaptation.

For system administrators and security teams, the immediate priority is to identify all NGINX instances in their environment, check for the vulnerable rewrite configuration pattern, and apply patches or mitigations without delay. Those using F5 products should also consult the security advisory to ensure all affected components are updated. Given that the exploit can cause a denial-of-service condition even without code execution, the impact on availability alone warrants urgent action. Businesses relying on NGINX for their web infrastructure should treat this as a critical incident and follow their vulnerability management procedures.

In the broader context, this incident highlights the ongoing challenge of securing widely deployed open-source software. NGINX's complex configuration options, while powerful, can introduce subtle security issues. The CVE-2026-42945 vulnerability is a reminder that even mature, battle-tested software can harbor critical flaws when specific configuration patterns are used. As the threat landscape evolves, defenders must stay vigilant, maintain robust patching processes, and continuously monitor for signs of exploitation.

Source: Help Net Security News