CVE-2026-42945: 18-Year NGINX Heap Flaw Enables Unauthenticated RCE

CVE-2026-42945 (a critical heap buffer overflow — a memory corruption bug where a program writes past the end of its allocated buffer — in NGINX's URL rewriting engine) allows any unauthenticated attacker to crash NGINX worker processes or execute arbitrary code with a single crafted HTTP request. The flaw, publicly named NGINX Rift and disclosed on May 13, 2026, carries a CVSS v3.1 score of 9.2 (Critical — remotely exploitable, no authentication or user interaction required), and was introduced in NGINX version 0.6.27 released in 2008, meaning it sat undetected in the world's most widely deployed web server for 18 years. Active exploitation was confirmed by VulnCheck on May 16, 2026, just three days after public disclosure.

// 01 CVE-2026-42945: Technical Details

CVE-2026-42945 resides in NGINX's ngx_http_rewrite_module — the component that handles URL rewriting, HTTP redirects, and conditional request routing. The root cause is a two-pass calculation error in ngx_http_script.c, the C source file driving NGINX's rewrite script engine.

NGINX processes URL rewrites in two sequential phases: a size-estimation pass and a write pass. In the estimation pass, NGINX calculates how large a buffer it needs to store the rewritten URL. In the write pass, it copies the rewritten URL into that buffer. The bug triggers when a configuration pattern combines two elements:

• An unnamed PCRE capture — a numbered backreference such as $1 or $2 from a Perl-Compatible Regular Expression, the industry-standard regex engine used in NGINX rewrite rules
• A question mark (?) in the replacement string, followed by a second rewrite, if, or set directive

In this combination, NGINX computes the buffer size using one set of URI-escaping assumptions during the estimation pass, then uses a different set during the write pass. The write runs past the end of the allocated memory, producing deterministic heap corruption that an attacker can reliably exploit.

The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network-exploitable, low attack complexity, no privileges required, no user interaction required, and full potential impact on confidentiality, integrity, and availability.

For a denial-of-service (DoS — an attack that makes a service unavailable to legitimate users) outcome, a single malformed request crashes the NGINX worker process. NGINX automatically respawns crashed workers, so a sustained stream of crafted requests keeps triggering the crash loop, rendering the server unable to serve legitimate traffic.

For full remote code execution (RCE — the ability to run arbitrary commands on the target server), an attacker employs Heap Feng Shui — carefully timing and sizing memory allocations to arrange the heap in a predictable layout. By opening two connections in sequence, the attacker coerces NGINX's memory allocator into placing a victim pool directly adjacent to the attacker's pool. The overflow then corrupts the cleanup function pointer stored in the pool header at offset 64. When NGINX frees that pool, it calls the corrupted pointer, redirecting execution flow to attacker-controlled code.

A public PoC (Proof-of-Concept — working exploit code released publicly) includes a complete ASLR-bypass chain. ASLR (Address Space Layout Randomization — an OS defense that randomizes memory addresses to prevent reliable exploits) is defeated using an information-leak primitive commonly available in the same hosting environment.

// 02 Exploitation Status and Threat Landscape

VulnCheck's canary systems flagged CVE-2026-42945 exploitation attempts on May 16, 2026 — three days after the vulnerability and PoC code were made public. CISA (the U.S. Cybersecurity and Infrastructure Security Agency) added CVE-2026-42945 to its KEV (Known Exploited Vulnerabilities) catalog, confirming real-world attacks are underway and obligating Federal Civilian Executive Branch (FCEB) agencies to patch immediately.

No specific threat actor group has been publicly attributed to the current exploitation wave. The attack pattern aligns with MITRE ATT&CK (a publicly accessible framework cataloging adversary tactics and techniques) technique T1190 — Exploit Public-Facing Application, with post-exploitation activity consistent with T1059 (Command and Scripting Interpreter — executing attacker-supplied commands on the compromised host) and T1210 (Exploitation of Remote Services — using a compromised NGINX instance to pivot deeper into an internal network).

// 03 Who Is Affected

CVE-2026-42945 affects the following NGINX versions:

• NGINX Open Source: versions 0.6.27 through 1.30.0 — every stable release since 2008
• NGINX Plus (F5's commercial distribution): releases R32 through R36

The vulnerable configuration pattern — a rewrite directive using an unnamed PCRE capture with a ? replacement, followed by a second rewrite, if, or set directive — is common in production environments. WordPress permalink rewrites, Laravel URL routing via PHP-FPM, and standard reverse proxy server blocks for API gateways frequently match this pattern.

NGINX powers an estimated 34% of all active websites globally. Kubernetes clusters running ingress-nginx (the NGINX-based Ingress controller for Kubernetes — the container orchestration platform managing most large-scale cloud deployments) are separately affected and require patching at the cluster level through updated controller images.

Environments at highest immediate risk:

• Shared web hosting providers where a single NGINX instance fronts hundreds of virtual hosts — a single exploited account can lead to full server compromise
• API gateways and load balancers with complex rewrite-based routing rules
• Kubernetes clusters running unpatched ingress-nginx controller images

// 04 What You Should Do Right Now

• Update NGINX Open Source immediately — upgrade to 1.30.1 (stable) or 1.31.0 (mainline). On Debian/Ubuntu: apt update && apt install nginx. On RHEL/AlmaLinux/Rocky: dnf update nginx. Verify: nginx -v.
• Update NGINX Plus — R36 users apply patch R36 P4; R32 through R35 users apply R32 P6. Obtain patches from your F5 support portal.
• Audit your rewrite rules for the vulnerable pattern before the next internet-facing request reaches your server:

“bash grep -rn 'rewrite.$[0-9].?' /etc/nginx/ ` Any match in a location block that also contains a subsequent rewrite, if, or set` directive is potentially exploitable.

• Update ingress-nginx in Kubernetes clusters — upgrade to controller image registry.k8s.io/ingress-nginx/controller:v1.12.2 or later:

“bash kubectl get pods -n ingress-nginx -o jsonpath='{.items[].spec.containers[].image}' “

• Deploy WAF rules as a temporary layer — Akamai and Cloudflare have published emergency WAF (Web Application Firewall — a filter that inspects and blocks malicious HTTP requests) rules for CVE-2026-42945. Enable them via your CDN dashboard if you cannot immediately upgrade.
• Monitor for exploitation attempts in access logs — look for percent-encoded characters and malformed URI fragments targeting rewrite-enabled endpoints. VulnCheck has published Snort and Suricata signatures for CVE-2026-42945 exploitation patterns.

// 05 Background: Understanding the Risk

NGINX is not merely popular — it is load-bearing internet infrastructure. As the web server or reverse proxy for roughly one in three websites, a remotely exploitable NGINX vulnerability simultaneously threatens a substantial fraction of the visible internet.

Heap buffer overflows in web servers have a history of catastrophic reach. The 2014 Heartbleed flaw (CVE-2014-0160 in OpenSSL, the library providing encrypted connections) demonstrated how a single memory-handling error in ubiquitous infrastructure could compromise millions of servers within days of disclosure. CVE-2026-42945 follows a similar blast-radius pattern: it affects virtually every NGINX deployment older than the patched releases, and the trigger condition — a specific but common rewrite pattern — is present in countless production configurations without anyone's knowledge.

The 18-year longevity of this bug reflects a fundamental challenge in auditing large C codebases for subtle cross-phase correctness violations. This was not a simple off-by-one write; it required understanding the interaction between NGINX's string escaping logic and its memory pool allocator across two separate processing phases and multiple source files. Most static analysis tools flag overflows that are observable within a single function; bugs spanning separate phases in the same request lifecycle are systematically harder to detect automatically.

What makes CVE-2026-42945 operationally dangerous beyond its scope is the speed of exploitation. A public PoC with a complete ASLR-bypass chain arrived the same day as the CVE disclosure. Three days later, exploitation was confirmed in the wild. For most organizations, the time between "patch released" and "patched in production" runs from days to weeks — that gap is more than sufficient for widespread opportunistic compromise.

Organizations running NGINX as a reverse proxy in front of internal applications face compounded risk: a compromised NGINX instance provides an attacker with a foothold inside the network perimeter, direct access to internal API endpoints, and the ability to intercept or modify unencrypted traffic between the proxy and upstream application servers.

// 06 Conclusion

CVE-2026-42945 is an 18-year-old critical heap buffer overflow in NGINX that allows unauthenticated remote code execution or persistent denial of service with a single crafted HTTP request, and is actively being exploited in the wild. Any team running NGINX Open Source older than 1.30.1, or NGINX Plus before R36 P4 / R32 P6, must patch immediately — there is no configuration-level workaround that eliminates risk for servers using the vulnerable rewrite pattern.