Overview: What Is CVE-2026-42945?
CVE-2026-42945 (dubbed "Nginx Rift" by the security community) is a critical heap buffer overflow vulnerability in Nginx's ngx_http_rewrite_module. Discovered by DepthFirst's automated AI security analysis system, this vulnerability allows an unauthenticated remote attacker to achieve arbitrary code execution on affected Nginx servers.
The vulnerability has a CVSS score of 9.2 (Critical) and affects an enormous version range: Nginx 0.6.27 through 1.30.0 — spanning over 18 years of releases since 2008. The exploit combines a rewrite rule parsing bug with a sophisticated cross-request heap feng shui technique to corrupt an adjacent ngx_pool_t cleanup pointer, ultimately hijacking control flow.
Who Discovered It?
DepthFirst, a company specializing in AI-driven vulnerability research, identified the flaw using their automated security analysis pipeline. This marks yet another milestone in the growing trend of AI-discovered zero-day vulnerabilities, following similar discoveries in curl, Exim, Dnsmasq, and other critical infrastructure software.
Alongside CVE-2026-42945, Nginx's May 2026 security advisory also disclosed three additional memory corruption vulnerabilities:
- CVE-2026-42946 — A separate heap buffer overflow in mp4 module
- CVE-2026-40701 — A memory disclosure vulnerability
- CVE-2026-42934 — Another memory corruption issue
All four vulnerabilities were fixed simultaneously in Nginx 1.31.0 and 1.30.1.
Affected Versions
| Status | Version Range |
|---|---|
| ✅ Vulnerable | Nginx 0.6.27 through 1.30.0 |
| ✅ Fixed | Nginx 1.31.0 (mainline), Nginx 1.30.1 (stable) |
Technical Deep Dive
The Root Cause: is_args Propagation Failure
The vulnerability lives in ngx_http_rewrite_module, specifically in how Nginx handles the rewrite directive combined with the set directive.
When Nginx processes rewrite rules, the is_args and args fields in the URI parser can become desynchronized. The critical bug is that when a rewrite rule triggers an internal redirect and modifies query string arguments, the is_args flag is not properly propagated to the ngx_http_core_run_phases() function. This creates a window where memory allocations operate on incorrect assumptions about buffer sizes.
The vulnerable code path involves the set $args directive inside a rewrite context. An attacker who can control the request URI and query string can craft input that triggers this desynchronization.
The Exploit Mechanics: Cross-Request Heap Feng Shui
The exploit operates in multiple stages across separate HTTP requests:
- Spray Phase: The attacker sends carefully crafted requests to manipulate the heap layout, placing
ngx_pool_tstructures at predictable offsets from each other. - Overflow Phase: A specially crafted request triggers the
rewrite/setbug, causing Nginx to write beyond the allocated heap buffer. The overflow data corrupts the adjacentngx_pool_tstructure'scleanupfield, which is a function pointer. - Trigger Phase: When the corrupted pool is cleaned up (during request finalization), Nginx calls the hijacked
cleanuphandler — executing attacker-controlled code.
The key insight is that this is unauthenticated — the attacker doesn't need valid credentials, API keys, or any pre-existing access to the server. Simply sending malicious HTTP requests to an affected Nginx server is sufficient.
Why Is This Called "Nginx Rift"?
The name "Rift" describes the fundamental disconnect — the "rift" — between how Nginx's internal state machine tracks query string parameters and how the rewrite module actually processes them. This gap persisted for 18 years across hundreds of releases.
Impact: Who Should Be Concerned?
Given Nginx's market share (powering approximately 30-35% of all websites globally), this vulnerability has an enormous blast radius:
- Web hosting providers running shared Nginx infrastructure
- CDN and reverse proxy deployments using Nginx
- API gateways built on Nginx
- Kubernetes ingress controllers (many are based on Nginx)
- Cloud platform load balancers and application delivery controllers
- Self-hosted applications using Nginx as a web server or reverse proxy
Any organization running affected Nginx versions and exposing rewrite rules (even seemingly benign ones) should treat this as a critical-priority patching event.
Mitigation and Remediation
Immediate Actions (Priority 1)
- Upgrade immediately: Update to Nginx 1.31.0 (mainline) or 1.30.1 (stable) — these are the first releases containing the fix
- Verify version: Run
nginx -vto confirm your current version
Workarounds (If Patching Is Not Immediately Possible)
- Disable rewrite module: If your deployment doesn't use
rewritedirectives, you can remove or comment out all rewrite rules as a temporary mitigation - Web application firewall (WAF) rules: Deploy WAF rules that filter suspicious query string patterns targeting rewrite directives
- Minimize surface area: Restrict access to Nginx endpoints that process user-controlled URIs through rewrite rules
⚠️ Important: Workarounds reduce but do not eliminate risk. The most effective mitigation is upgrading to a patched version.
Update Methods by Distribution
Ubuntu/Debian
sudo apt update
sudo apt list --upgradable nginx*
sudo apt upgrade nginx
# Or from official Nginx repository:
sudo nginx -v # check current
# Follow Nginx's official repo instructions to upgradeRHEL/CentOS/Fedora
sudo yum update nginx
# Or for newer versions:
sudo dnf update nginxDocker
docker pull nginx:1.31.0
# Or for stable:
docker pull nginx:1.30.1From Source
wget https://nginx.org/download/nginx-1.31.0.tar.gz
tar -xzf nginx-1.31.0.tar.gz
cd nginx-1.31.0
./configure
make
sudo make installDetection: How to Know If You've Been Compromised
Post-exploitation signs to look for:
- Unexpected processes running under the
www-dataor Nginx worker user - Unusual outbound network connections from Nginx workers
- Modified or new files in
/tmp,/dev/shm, or web root directories - Suspicious entries in Nginx access logs (requests with unusually long query strings, repeated patterns, or specific rewrite-triggering URIs)
What the Industry Is Saying
The Nginx security advisory (published May 2026) describes the vulnerability as "critical" and urges immediate patching. The DepthFirst disclosure highlights how AI-driven vulnerability research continues to uncover deeply buried flaws in foundational internet infrastructure — flaws that traditional code review might miss.
On Hacker News, the disclosure generated significant discussion, with many commenters noting the irony that Nginx — often praised as a more secure alternative to Apache — harbored a critical RCE for nearly two decades.
Timeline of Events
- 2008: Bug introduced in Nginx 0.6.27 (rewrite module refactoring)
- May 2026: DepthFirst AI security analysis discovers the vulnerability
- May 2026: Nginx releases 1.31.0 (mainline) and 1.30.1 (stable) with fixes for CVE-2026-42945 and three other memory corruption vulnerabilities
- May 15, 2026: Public disclosure and PoC release
Frequently Asked Questions
Does this affect Nginx Plus?
Yes. Nginx Plus distributions based on affected versions (0.6.27 through 1.30.0) are also vulnerable. Contact F5/Nginx support for patched builds.
Can I mitigate without restarting Nginx?
No. The fix requires replacing the Nginx binary and restarting the service. A graceful reload may not be sufficient if the binary has not been updated.
Is this being actively exploited?
As of the disclosure date, there are no confirmed reports of active exploitation in the wild. However, given the high CVSS score and the availability of PoC code, widespread exploitation attempts are expected.
Do I need rewrite rules to be vulnerable?
Yes. The exploit requires the rewrite module to be active and for rewrite rules to be processed. However, many default Nginx configurations include rewrite rules (even implicitly through frameworks or CMS platforms).
What about OpenResty, Tengine, or other Nginx forks?
These distributions may also be affected if they're based on the vulnerable version range. Check with the respective maintainers for patched builds.
Conclusion
CVE-2026-42945 (Nginx Rift) is a critical vulnerability that has silently existed in Nginx for over 18 years. Discovered by AI-driven security research, it serves as both a warning and a case study: even the most battle-tested infrastructure software can harbor catastrophic flaws beneath the surface.
The fix is clear — upgrade to Nginx 1.31.0 or 1.30.1 immediately. Do not delay, even if you think your rewrite rules are benign. The CVSS 9.2 score reflects the severity: unauthenticated, remote, with full code execution capability. This is a patch that cannot wait.