NGINX Discloses 18-Year-Old CVE-2026-42945 Flaw, Urges Upgrades to 1.30.1 and R36 P4
Updated
Updated · Security Affairs · May 15
NGINX Discloses 18-Year-Old CVE-2026-42945 Flaw, Urges Upgrades to 1.30.1 and R36 P4
14 articles · Updated · Security Affairs · May 15
CVE-2026-42945, a CVSS 9.2 heap buffer overflow dubbed NGINX Rift, can let an unauthenticated attacker send a single crafted HTTP request that triggers remote code execution or repeated worker crashes.
The bug sits in ngx_http_rewrite_module and is triggered when unnamed PCRE captures like $1 are used with a replacement string containing a question mark, causing NGINX to size a buffer under one escaping assumption and write under another.
Affected software spans NGINX Open Source 0.6.27-1.30.0, NGINX Plus R32-R36, and several F5-linked products including Instance Manager, App Protect, Gateway Fabric and Ingress Controller; BIG-IP, F5OS and Distributed Cloud are not affected.
F5 released fixes after coordinated disclosure on April 21, with Open Source users told to move to 1.30.1 or 1.31.0 and Plus users to apply R32 P6 or R36 P4, then restart workers.
For systems that cannot patch immediately, replacing unnamed rewrite captures with named captures avoids the vulnerable code path; depthfirst said no in-the-wild exploitation was known at disclosure.
Could AI-driven vulnerability discovery mean every major open-source project harbors hidden flaws just waiting to be uncovered?
How might the rapid rise of LLM-powered security tools change the balance between attackers and defenders in the next year?
NGINX Rift (CVE-2026-42945): AI-Driven Discovery of a Critical 18-Year Buffer Overflow Threatening Global Web Infrastructure
Overview
As of May 15, 2026, the cybersecurity community faces a major threat from CVE-2026-42945, known as 'NGINX Rift.' This vulnerability affects NGINX, which powers about a third of the world’s web servers, making the potential impact both widespread and severe. The flaw mainly causes denial of service by crashing NGINX worker processes, and repeated attacks can trigger crash loops, leading to ongoing service outages. There is also a risk of remote code execution in certain environments, highlighting the urgent need for immediate patching and careful review of affected systems.