RESEARCHERS at depthfirst disclosed a critical 18-year-old heap buffer overflow in NGINX, tracked as CVE-2026-42945 and named NGINX Rift, affecting both NGINX Open Source and NGINX Plus. The flaw has a CVSS v4 score of 9.2 and lies in the ngx_http_rewrite_module, with the trigger tied to a configuration pattern that combines unnamed PCRE capture groups with a replacement string containing a question mark.
According to depthfirst, the attack can be launched by a single HTTP request from an attacker who can reach a vulnerable server, enabling remote code execution in the NGINX worker process in certain conditions. Fixed versions were released following the disclosure on 21 April 2026, and users should upgrade to NGINX Open Source 1.30.1 or 1.31.0, with specific patches for NGINX Plus R36 and other components.
The article also notes a configuration-level workaround for CVE-2026-42945 that replaces unnamed captures with named captures to avoid triggering the vulnerable path, and that there were no reports of exploitation at disclosure time.