NGINX Rift Heap Buffer Overflow (CVE-2026-42945)

Severity Assessment

• Exploitability: 8/10 - The vulnerable code is reachable through crafted HTTP requests when an affected rewrite configuration is present.
• Impact: 9/10 - Sources describe worker-process heap corruption that can restart NGINX workers and may allow code execution when ASLR is disabled or bypassed.
• Weaponization Risk: 8/10 - The Cyber Security Agency of Singapore reported active exploitation and public proof-of-concept availability on 18 May 2026.
• Patch Urgency: 9/10 - F5 coordinated fixes for supported NGINX Open Source and NGINX Plus releases on the disclosure date.
• Detection Coverage: 5/10 - The cited advisories did not publish unique network, file, or hash indicators, so detection depends on version, configuration, process, and request-log telemetry.

Summary

CVE-2026-42945 is a heap buffer overflow in the NGINX ngx_http_rewrite_module. The affected condition occurs when a rewrite directive uses an unnamed PCRE capture such as $1 or $2, the replacement string includes a question mark, and another rewrite, if, or set directive follows in the same scope.

The National Vulnerability Database describes the attack path as unauthenticated crafted HTTP requests against NGINX Plus or NGINX Open Source deployments where the required configuration pattern exists. NVD records F5 Networks as the CVE source and lists a CNA CVSS v4.0 score of 9.2 Critical and CVSS v3.1 score of 8.1 High.

depthfirst reported the vulnerability as NGINX Rift and attributed the root cause to inconsistent escaping assumptions in src/http/ngx_http_script.c. According to depthfirst, the fixed releases include NGINX Open Source 1.31.0 and 1.30.1, NGINX Plus R36 P4, and NGINX Plus R32 P6. For systems that cannot upgrade at once, depthfirst described replacing unnamed captures with named captures as a mitigation for the affected rewrite pattern.

At the time of disclosure, depthfirst said it was not aware of in-the-wild exploitation. On 18 May 2026, the Cyber Security Agency of Singapore reported active exploitation and public proof-of-concept availability. The sources do not identify a responsible threat actor.

Exploit Chain

Stage 1: Affected NGINX Version and Rewrite Pattern

The exposed service runs an affected NGINX Open Source or NGINX Plus version and uses the specific rewrite configuration pattern described by F5, NVD, and depthfirst: an unnamed capture in a rewrite replacement containing a question mark, followed by another rewrite, if, or set directive in the same scope.

Stage 2: Crafted HTTP Request Delivery

An unauthenticated attacker sends crafted HTTP requests to a route processed by the vulnerable rewrite logic. The sources describe conditions beyond the attacker’s direct control, so vulnerable version alone is not enough to prove exploitability without the affected configuration pattern.

Stage 3: Rewrite Module Buffer Miscalculation

depthfirst’s analysis describes inconsistent escaping behavior inside ngx_http_script.c. The destination buffer is sized using one set of assumptions, while the later copy path can expand URI characters such as +, %, or &, writing past the allocated heap buffer.

Stage 4: Worker Process Crash or Code Execution

NVD and CSA Singapore state that exploitation can cause a heap buffer overflow in the NGINX worker process, leading to worker restart or denial of service. They also state that code execution is possible on systems with ASLR disabled or when an attacker can bypass ASLR.

Stage 5: Post-Exploitation Scope

The cited sources do not provide actor, payload, or infrastructure details. Operators should treat any confirmed exploitation as public-facing application compromise risk and preserve web server logs, process crash data, configuration snapshots, and host telemetry for investigation.

Detection Guidance

Review NGINX and NGINX Plus version inventory for affected releases, especially NGINX Open Source 0.6.27 through 1.30.0 and NGINX Plus R32 through R36. Prioritize internet-facing systems and deployments using ngx_http_rewrite_module.

Search NGINX configuration for rewrite directives that use unnamed captures such as $1 or $2 in a replacement string containing a question mark. In the same scope, check whether another rewrite, if, or set directive follows the affected directive.

Monitor web server and process telemetry for repeated NGINX worker crashes, worker restarts, or crash loops after crafted or unusual HTTP requests. Correlate worker restarts with reverse proxy, WAF, and access logs for requests targeting rewrite-heavy routes.

Inspect request logs for unusual URI characters passed through rewrite rules, especially requests containing encoded characters or separators that could expand during URI escaping. Treat these as leads for review rather than definitive compromise evidence.

Confirm that supported fixed releases are deployed where available. For systems that cannot upgrade immediately, replace unnamed captures with named captures in affected rewrite directives and restart NGINX workers after configuration changes.

Indicators of Compromise

The cited advisories did not publish unique IP addresses, domains, file hashes, or payload names for CVE-2026-42945 exploitation.

Network and request-log indicators:

• Crafted HTTP requests to routes governed by rewrite directives with unnamed captures and question-mark replacement strings.
• Request bursts followed by NGINX worker restarts or availability degradation.
• Reverse proxy or WAF events on rewrite-heavy paths shortly before worker crashes.

Host and process indicators:

• NGINX worker process crashes on affected versions.
• Repeated NGINX worker restarts without an operator-initiated reload.
• Core dumps or crash reports involving ngx_http_rewrite_module or rewrite processing.

Configuration indicators:

• Affected NGINX Open Source or NGINX Plus versions with vulnerable rewrite patterns.
• Unnamed captures such as $1 or $2 in rewrite replacements that include a question mark.
• Systems where ASLR is disabled or where hardening settings are inconsistent across worker hosts.

Disclosure Timeline

2026-05-13 - F5 advisory and CVE publication

F5 coordinated disclosure and patch availability for CVE-2026-42945. NVD records the CVE as published on the same date.

2026-05-14 - depthfirst technical writeup

depthfirst published the NGINX Rift writeup, described the affected rewrite pattern, listed fixed releases, and stated that it was not aware of in-the-wild exploitation at disclosure time.

2026-05-18 - CSA Singapore exploitation notice

The Cyber Security Agency of Singapore reported that CVE-2026-42945 was being actively exploited in the wild and that a proof of concept was publicly available.

2026-05-21 - NVD record update

NVD records a modification on 21 May 2026, including updated wording for code execution when ASLR is disabled or bypassed.

Sources & References

• National Vulnerability Database: CVE-2026-42945 Detail — National Vulnerability Database, 2026-05-21
• F5 Networks: Security Advisory K000161019 — F5 Networks, 2026-05-13
• depthfirst: NGINX Rift — depthfirst, 2026-05-14
• Cyber Security Agency of Singapore: Multiple Vulnerabilities in F5 NGINX, BIG-IP and BIG-IQ — Cyber Security Agency of Singapore, 2026-05-18