All incidents

NGINX heap overflow vulnerability (CVE-2026-42945) allows remote code execution

vulnerabilityclosedMay 14, 2026 — May 14, 2026
NGINX heap overflow vulnerability (CVE-2026-42945) allows remote code execution

A newly disclosed heap overflow in NGINX’s rewrite module tracked as CVE-2026-42945 lets unauthenticated attackers achieve remote code execution on affected servers. The flaw resides in the ngx_http_rewrite_module and can be triggered over HTTP when certain rewrite rules are present. Researchers have nicknamed the issue NGINX Rift after the proof‑of‑concept repository that first demonstrated the exploit.

The vulnerability carries a CVSS v4 score of 9.2, reflecting its critical severity. It stems from a heap-based buffer overflow that occurs during the processing of specially crafted rewrite directives. An attacker who sends a malicious URI can overwrite adjacent memory chunks, which may crash the worker process or, when address space layout randomisation is disabled, allow the execution of arbitrary code within the privileged NGINX worker. In most observed cases the result is a denial‑of‑service condition marked by repeated worker restarts.

Affected releases include NGINX Open Source versions 0.6.27 through 1.30.0 and several NGINX Plus branches. Patches have been issued in the 1.30.1 and 1.31.0 streams, with corresponding updates for NGINX Plus releases R32 through R36. The fixes were coordinated after responsible disclosure on 21 April 2026 by the researchers at Depth First Disclosures. Administrators should confirm their exact build and verify whether the rewrite module is enabled with rule sets that could trigger the overflow.

F5 issued a broader advisory on 14 May 2026 that patches over fifty vulnerabilities across BIG-IP, BIG-IQ and NGINX products, with CVE-2026-42945 highlighted as the most severe. The same bulletin notes fixes for issues such as CVE-2026-41225 affecting iControl REST and several authentication‑required flaws. The proof‑of‑concept code published in the Depth First Disclosures repository shows how a single crafted request can trigger the overflow. While no threat actor has been observed actively exploiting the flaw in the wild, researchers warn that it could be chained with other misconfigurations to increase impact.

Defensive steps begin with confirming the NGINX version in use and upgrading to a patched release as soon as possible. If immediate upgrade is not feasible, administrators should review any custom rewrite rules for patterns that could trigger the overflow and consider disabling or simplifying them temporarily. Deploying a web application firewall to block requests containing long or anomalous query strings can provide an additional layer of protection.

Keeping address space layout randomisation enabled on the host reduces the chance of successful code execution even if the overflow is triggered. Monitoring error logs for sudden spikes in worker abort signals helps detect ongoing exploitation attempts.

Internet‑facing reverse proxies should be prioritised for patching, and organisations should maintain an up‑to‑date inventory of all NGINX instances to avoid overlooking legacy systems. Before applying updates, it is wise to test the patched version in a staging environment to ensure that existing rewrite configurations continue to function as expected. Regular audits of the nginx.conf file for risky directives such as rewrite, return or break can reduce the likelihood of future flaws being exploitable.

Staying subscribed to the nginx‑announce mailing list and tracking advisories from vendors like F5 ensures timely awareness of future security issues.

Intelligence briefing updated Jun 10, 2026

CVE-2026-42945 9.2 CVE-2026-41225 9.1 CVE-2026-41957 8.8 CVE-2026-34176 8.7 CVE-2026-39459 8.6
Root sourcegithub.com
Timeline Coverage

Swipe to explore timeline