NGINX Rift Rewrite Flaw Triggers Worker Crashes and Possible RCE
F5 and NGINX disclosed CVE-2026-42945 ("NGINX Rift"), a critical heap buffer overflow in ngx_http_rewrite_module affecting NGINX Open Source 0.6.27 through 1.30.0 and NGINX Plus R32 through R36. The bug is exposed when servers use a specific rewrite pattern: a rewrite directive with unnamed PCRE captures such as $1 or $2, a replacement string containing ?, and a following rewrite, if, or set directive. An unauthenticated attacker can send crafted HTTP requests to corrupt heap memory in the worker process, reliably causing crashes and restarts; code execution is considered possible in weaker environments, particularly where ASLR is disabled. Fixes were released in NGINX 1.30.1, 1.31.0, and patched NGINX Plus builds, while Debian, AlmaLinux, and other downstream vendors began shipping updates.
Public writeups and proof-of-concept code quickly drove attacker interest, and multiple reports said VulnCheck observed exploitation attempts on canary systems within days of disclosure. Researchers and defenders broadly agreed that denial-of-service is the most practical near-term impact, while widespread reliable RCE is less likely on hardened systems with modern memory protections enabled. Administrators were urged to patch internet-facing reverse proxies, load balancers, ingress controllers, and API gateways, audit rewrite rules for unnamed captures, and use named captures as a temporary mitigation where upgrades cannot be applied immediately. The same release cycle also addressed additional NGINX flaws including CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
HPE Aruba Networking issued advisory on CVE-2026-42945 status
HPE published product advisory HPESBNW05064 rev.1 addressing the status of the NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945 in HPE Aruba Networking products. This represents a new vendor-specific downstream response for affected product lines.
Reports warned of active exploitation in the wild
Security outlets reported that CVE-2026-42945 was being actively exploited in the wild, citing VulnCheck observations and rapid attacker scanning of exposed NGINX servers. Coverage emphasized that denial-of-service exploitation was realistic, while broad reliable RCE remained less practical because exploitation depends on specific rewrite configurations and often disabled ASLR.
VulnCheck observed exploitation attempts against CVE-2026-42945
VulnCheck reported seeing exploitation activity against CVE-2026-42945 on its canary systems shortly after disclosure. One report explicitly states exploitation attempts began on May 16, indicating attackers moved quickly after patches and PoC details became public.
Debian issued DSA-6278-1 nginx security update
Debian published security advisory DSA-6278-1 for nginx, indicating distribution-level remediation for the disclosed vulnerabilities. The advisory marks a downstream packaging response following the upstream disclosure and fixes.
AlmaLinux released backported nginx fixes to its repositories
AlmaLinux reproduced the denial-of-service condition for CVE-2026-42945 across AlmaLinux 8, 9, 10, and Kitten 10, then released backported patched nginx packages to testing repositories, with Kitten 10 receiving the fix in its regular repository. The vendor also recommended replacing unnamed captures with named captures as a temporary mitigation.
DepthFirst published root-cause analysis and PoC for NGINX Rift
DepthFirst published technical analysis and a proof of concept for CVE-2026-42945, describing how the rewrite engine's handling of question marks and unnamed captures can lead to heap corruption. Reports said the PoC demonstrated worker-process RCE in a lab setup with ASLR disabled.
Public disclosure of CVE-2026-42945 and companion NGINX flaws
CVE-2026-42945 was publicly disclosed as a critical heap buffer overflow in ngx_http_rewrite_module affecting NGINX Open Source and NGINX Plus, alongside additional CVEs in SCGI/UWSGI, SSL, and charset components. Public advisories described the vulnerable rewrite pattern, affected versions, and the risk of worker crashes and possible code execution when ASLR is disabled.
NGINX 1.31.0 and 1.30.1 released with CVE-2026-42945 fixes
The nginx project released version 1.31.0 and the stable branch update 1.30.1, including fixes for CVE-2026-42945 and several other security issues. The release notes highlighted the rewrite-module flaw and other vulnerabilities across proxy, SCGI/UWSGI, charset, HTTP/3, and OCSP-related components.
F5/NGINX patched CVE-2026-42945 after responsible disclosure
F5 and NGINX released fixes for CVE-2026-42945 after responsible disclosure, covering affected NGINX Open Source and NGINX Plus versions. Multiple reports state patches were issued on April 21, 2026, with upgrade guidance and configuration workarounds provided.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
31 references tracked. Mallory keeps watching after this page renders.
HPESBNW05064 rev.1 - Status of NGINX ngx_http_rewrite_module Vulnerability (CVE-2026-42945) in HPE Aruba Networking Products
support.hpe.com
Open sourceNGINX Heap Buffer Overflow Vulnerability Patched
securityonline.info
Open sourceNGINX Rift: CVE-2026-42945 Exploited In Attacks
thecyberexpress.com
Open sourceCritical bug in F5 NGINX actively exploited | news | SC Media
scworld.com
Open sourceNGINX Rift: Achieving NGINX Remote Code Execution via an 18-Year-Old Vulnerability | depthfirst
depthfirst.com
Open source���������� nginx 1.31.0 � ����������� RCE-����������, ��������������� ����� HTTP-������
opennet.me
Open sourceNGINX Rift
depthfirst.com
Open source#cybersecurity #threatintelligence #riskmanagement #infosecurity | Patrick Garrity 👾🛹💙
linkedin.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
NGINX fixes `ngx_http_rewrite_module` heap overflow with possible RCE
NGINX released versions **1.31.1** and **1.30.2** to fix **CVE-2026-9256**, a heap buffer overflow in `ngx_http_rewrite_module` that can be triggered by unauthenticated attackers with specially crafted HTTP requests. The flaw affects **NGINX Open Source** and **NGINX Plus** when `rewrite` directives use overlapping or nested PCRE capture groups and replacement strings that reference multiple captures in redirect or arguments contexts, creating memory corruption in the worker process. Successful exploitation can force worker restarts and denial of service, and may lead to arbitrary code execution if protections such as ASLR are absent or bypassed; NGINX described the issue as a **data plane** exposure with no control plane impact.
May 29, 2026
NGINX WebDAV Overflow Enabled File Read/Write, Followed by New AI-Found RCE Claim
Researchers disclosed **CVE-2026-27654**, a heap buffer overflow in NGINX's `ngx_http_dav_copy_move_handler()` that affects deployments compiled with `ngx_http_dav_module` and configured with `alias` alongside WebDAV `COPY` or `MOVE` methods. The bug stems from an unsigned underflow in `ngx_http_map_uri_to_path()` when a `Destination` header is shorter than the location prefix, allowing WebDAV root escape and arbitrary file read or write within the worker process's filesystem permissions. Calif.io said it developed multiple proof-of-concept exploits with AI assistance, including variants that could copy sensitive files such as `/etc/passwd` into attacker-accessible locations and write files through `PUT` and `COPY`, while noting that human researchers were needed to turn the initial AI-generated crash into a practical exploit chain. F5 and the NGINX security team were notified in March and released a fix in **NGINX 1.29.7** with advisory `K000160382`, while Calif later published PoC materials on GitHub describing the work as AI-generated and human-verified. Separately, Nebula Security reported a distinct NGINX zero-day dubbed **nginx-poolslip**, describing remote code execution in dynamic variable parsing paths affecting **NGINX 1.31.0** and claiming its autonomous AI agent discovered the flaw; the report said technical details were initially withheld during disclosure and that **NGINX 1.31.1** was later released as the patch. Together, the disclosures underscore a rapid cycle in which AI-assisted research is producing crash reproduction, exploit development, and fresh vulnerability claims against widely deployed NGINX code.
May 26, 2026
NGINX Flaws Expose Open Source and Plus Deployments to DoS and Possible Code Execution
German government CERT advisories report multiple vulnerabilities in **NGINX** and **NGINX Plus** that can be exploited for **denial of service**, with a newer notice warning that affected **NGINX Open Source** and **NGINX Plus** deployments may also face **potential code execution**. The advisories indicate that the issues affect both the commercial and open source product lines, expanding the risk beyond service disruption alone. The earlier advisory described multiple flaws enabling service outages in NGINX and NGINX Plus, while the later advisory escalated the impact to include possible remote code execution in addition to denial of service. Organizations running internet-facing NGINX infrastructure should review the referenced dCERT notices, identify exposed versions across reverse proxies, load balancers, and web servers, and prioritize vendor-recommended updates or mitigations.
May 26, 2026