THE first in-the-wild attacks exploiting a critical-severity NGINX vulnerability patched last week have begun, according to VulnCheck. Tracked as CVE-2026-42945 (CVSS 9.2) and dubbed Nginx Rift, the flaw is a heap buffer overflow in the ngx_http_rewrite_module that has lurked in NGINX for 16 years. Depthfirst published technical details and PoC code soon after, and VulnCheck says threat actors are already exploiting the issue in attacks.
The bug can be exploited remotely without authentication via crafted HTTP requests, though a specific rewrite configuration is required, and ASLR being disabled can lead to remote code execution. On default deployments, successful exploitation would trigger a server restart and a denial-of-service condition, while RCE is more difficult if ASLR is enabled by default.
VulnCheck notes that roughly 5.7 million internet-exposed NGINX servers are running potentially vulnerable versions, though the truly exploitable population is likely a much smaller subset.