VulnCheck detected in-the-wild attacks against CVE-2026-42945 on its honeypots, showing the newly disclosed NGINX flaw is already being weaponized; the attackers’ objectives remain unclear.
The bug is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX 0.6.27 through 1.30.0, and crafted HTTP requests can crash worker processes or potentially execute code without authentication.
Reliable RCE appears harder than simple denial-of-service: researchers said exploitation needs a specific NGINX configuration, and code execution typically also requires ASLR to be disabled.
F5 has issued fixes and defenders are being urged to patch quickly because even worker-crash exploitation alone is considered urgent.
VulnCheck also reported active exploitation of two openDCIM flaws rated 9.3, with observed activity from a single Chinese IP using a customized Vulnhuntr-based scanner before dropping a PHP web shell.
An AI found a bug humans missed for 18 years. What other critical flaws are hiding in plain sight?
As AI automates vulnerability discovery, will it lead to more secure software or a new cyber arms race?
NGINX Rift (CVE-2026-42945): Critical Heap Overflow Threatens Millions of Servers—Active Exploitation and Urgent Mitigation
Overview
NGINX Rift (CVE-2026-42945) is a critical heap buffer overflow vulnerability discovered by depthfirst researchers that affects both NGINX Plus and NGINX Open Source versions. The flaw is found in the ngx_http_rewrite_module, which is included in every standard NGINX build, and is triggered by a common configuration pattern using unnamed captures like $1 or $2. Because NGINX is widely used as a reverse proxy, load balancer, and application delivery platform, this vulnerability creates a broad attack surface, with millions of servers potentially exposed. Many real-world deployments may be at risk without knowing it, making immediate patching and configuration review essential.