NGINX Rift: 18-Year-Old Rewrite Flaw Enables Unauth RCE

There's an old bit of folklore in archaeology about the Roman aqueducts: the lead pipes were leaching toxins into the water for centuries, and nobody noticed because the aqueducts kept delivering. NGINX has just had its lead-pipe moment. A heap buffer overflow has been sitting in the rewrite module since roughly the Bush administration, dutifully proxying half the internet, and nobody spotted it until now.

The water still tastes fine. The pipe is poisoned.

What Happened

On Wednesday May 14, 2026, F5 published an advisory for a critical vulnerability in NGINX Plus and NGINX Open Source. The bug, codenamed NGINX Rift and tracked as CVE-2026-42945, carries a CVSS v4 score of 9.2 and has been undetected for 18 years. As The Hacker News reported, the flaw was discovered by a researcher going by depthfirst and responsibly disclosed on April 21, 2026.

It's a heap buffer overflow in ngx_http_rewrite_module, the part of NGINX that handles URL rewriting. F5's own wording: "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module." The trigger conditions are specific but not exotic: a rewrite directive followed by another rewrite, if, or set, using an unnamed PCRE capture like $1 or $2, and a replacement string containing a question mark. That config pattern is everywhere. Anyone who has ever hand-rolled a redirect chain for SEO migration has written it.

The blast radius is wide. NGINX Plus R32 through R36 are vulnerable, with fixes in R32 P6 and R36 P4. NGINX Open Source 1.0.0 through 1.30.0 is affected, patched in 1.30.1 and 1.31.0. The truly grim bit: versions 0.6.27 through 0.9.7 are also vulnerable, and F5 has no fixes planned for them. F5's downstream products are dragged in too: NGINX Instance Manager, F5 WAF for NGINX, App Protect WAF and DoS, Gateway Fabric, and Ingress Controller across multiple major versions. Three other CVEs were patched in the same advisory, which we'll get to.

Technical Anatomy

The guts of it are unpleasantly elegant. When NGINX processes a rewrite directive with an unnamed PCRE capture and a replacement string containing a question mark, the worker miscomputes the allocation size for the rewritten URI. Bytes get written past the buffer. The bytes that overflow aren't random padding from the kernel, they're derived from the attacker's URI. depthfirst's own framing makes this explicit: "the bytes written past the allocation are derived from the attacker's URI, so the corruption is shaped by the attacker rather than random."

That distinction matters. A random heap corruption is a denial-of-service primitive. A shaped heap corruption is an exploit primitive. The difference between "we crashed your worker" and "we're running our code in your worker" is whether the attacker controls what lands where, and here they do.

The pre-conditions are short enough to fit on a Post-it. No authentication. No session. No prior access. Quoting depthfirst again: "An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution. There is no authentication step, no prior access requirement, and no need for an existing session."

One HTTP request. That's the whole exploit chain.

For full RCE you need ASLR disabled on the target, which is the only mitigating factor of any substance. On hardened modern Linux distributions that's not the default, but anyone who has audited a fleet of mixed-vintage VMs in a payments or iGaming estate knows ASLR-disabled boxes turn up more often than they should, especially in older container base images and bespoke kernel builds. Even on ASLR-enabled systems, the worker crash-loops. Repeated requests keep workers cycling, degrading availability for every site served by that instance. So this is RCE on soft targets and reliable DoS on everything else.

The three companion CVEs in the same advisory are worth noting. CVE-2026-42946 (CVSS 8.3) is an excessive memory allocation in the SCGI and uWSGI modules, exploitable via AitM when scgi_pass or uwsgi_pass is configured. CVE-2026-40701 (CVSS 6.3) is a use-after-free in the SSL module when client cert verification and OCSP stapling are on. CVE-2026-42934 (CVSS 6.3) is an out-of-bounds read in the charset module under specific proxy-buffering configs. None of them are NGINX Rift, but if you're patching anyway, patch them all.

Who Gets Burned

NGINX is the load balancer and reverse proxy of choice for a serious chunk of internet-facing infrastructure. If your stack has an edge tier, there's a decent chance NGINX is in it.

In iGaming, the typical sportsbook frontend sits behind an NGINX layer doing geo-routing, A/B splits, and legacy URL rewrites for years of market-specific landing pages. Those rewrite chains accumulated over a decade of regulatory mergers are exactly the kind of config that lights up this CVE. The poisoned aqueduct has been carrying bet slips this whole time.

Fintech is in the same boat. Payment gateways routinely use NGINX as the TLS termination and routing layer in front of stateless API services. The compliance team is going to want a written answer to "were any of our PCI-scoped workers running an affected version" by next Monday. Anyone running NGINX App Protect WAF in versions 4.9.0 through 4.16.0 or 5.1.0 through 5.8.0, or F5 WAF for NGINX 5.9.0 through 5.12.1, has the special pleasure of explaining why their WAF was itself vulnerable.

Crypto and DeFi shops who use NGINX Ingress Controller in Kubernetes (versions 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.1 are all affected) need to check their cluster manifests immediately. A compromised ingress pod in a multi-tenant cluster is an unusually bad day.

Ad-tech is perhaps the most exposed of the lot. The whole vertical runs on NGINX-fronted bid endpoints handling enormous request volumes, where a crash-looping worker isn't just downtime, it's lost revenue measured in dollars per second. Repeated DoS requests against an RTB exchange would be devastating even without the RCE path.

Finally, the 0.6.27 through 0.9.7 cohort with no planned fix. That's pre-2012 NGINX. Anyone still running it is in a museum exhibit, and museums tend not to have great patching pipelines.

Playbook for Security Teams

First, inventory. Run something across your fleet that pulls nginx -v and matches against the affected version list. Don't trust the package manager's view alone, because in containerised environments the running binary often differs from what the host thinks is installed. Check sidecar proxies in service meshes too, plenty of them ship NGINX under the hood.

Second, patch. NGINX Plus users move to R32 P6 or R36 P4. Open Source users move to 1.30.1 or 1.31.0. If you're on the F5 downstream stack (Instance Manager, App Protect WAF, Gateway Fabric, Ingress Controller), check the version matrix in the advisory and roll the matching fix.

Third, if you can't patch this week, F5's mitigation workaround is straightforward: replace unnamed captures with named captures in every affected rewrite directive. So rewrite ^/foo/(.*)$ /bar/$1?baz=1; becomes a version using named groups like (?<path>.*) and $path. Grep your configs for the pattern and rewrite them. It's the boring bit but it's the part where, if you skip a config file, the workaround silently doesn't apply.

Fourth, verify ASLR is enabled on every host running NGINX. cat /proc/sys/kernel/randomize_va_space should return 2. This won't stop the DoS path but it pushes RCE from "single request" to "much harder."

Fifth, hunt. The exploit is shaped HTTP requests with PCRE-capture-laden URIs and question marks. Pull a week of access logs and look for unusual patterns hitting rewrite endpoints. CISA's KEV catalog will likely add this fast once exploitation goes public, so monitor it.

Key Takeaways

• CVE-2026-42945, codenamed NGINX Rift, is a CVSS 9.2 heap buffer overflow in ngx_http_rewrite_module that sat undetected for 18 years and enables unauthenticated RCE via a single crafted HTTP request.
• The vulnerability triggers when a rewrite directive uses unnamed PCRE captures with a replacement string containing a question mark, a configuration pattern common in long-lived production setups.
• Patches are available in NGINX Plus R32 P6 and R36 P4, and NGINX Open Source 1.30.1 and 1.31.0. Versions 0.6.27 through 0.9.7 are vulnerable with no planned fix.
• Three companion CVEs (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) were patched in the same advisory and should be addressed together.
• The aqueduct has been carrying your traffic all along, but the lead is now visible. Inventory, patch, and replace unnamed captures with named captures as an immediate workaround.