A critical NGINX flaw, CVE-2026-42945, is actively exploited in both NGINX Plus and NGINX Open Source, with a CVSS v4 score of 9.2. The vulnerability, dubbed NGINX Rift, arises from a heap buffer overflow in the ngx_http_rewrite_module, potentially allowing crashes or code execution via malicious HTTP requests.
Researchers note that while the flaw is real, remote code execution in real-world environments is unlikely because modern Linux distributions enable ASLR by default, and the public PoC only works after disabling ASLR with setarch -R. The PoC exploit deploys a specifically vulnerable configuration and relies on the attacker knowing or discovering that config, according to Kevin Beaumont.
Last week depthfirst disclosed the flaw, and VulnCheck Canaries were cited as reporting active exploitation shortly after disclosure. The article also quotes Beaumont stating that although the vulnerability is technically valid, fears of widespread RCE are overstated.