CVE-2026-42945, dubbed NGINX Rift, is a heap buffer overflow in ngx_http_rewrite_module that has been present since NGINX 0.6.27 — released in 2008. Every version through 1.30.0 is affected, as is NGINX Plus R32 through R36. Patches landed on 13 May 2026 in NGINX Open Source 1.30.1 and 1.31.0. CVSS 4.0 score: 9.2 (Critical).
How it works
The bug sits in a size mismatch between the rewrite module's two passes. The length-calculation phase underestimates the required buffer when URI escaping occurs during the copy phase. An unauthenticated attacker can send a single crafted HTTP request to overflow the heap in a worker process. On systems without ASLR, this is a reliable path to remote code execution. On hardened systems, denial of service is the baseline impact — and that's still trivial to trigger.
The trigger condition requires a specific rewrite configuration: a rewrite directive using unnamed PCRE captures (e.g. $1, $2) with a replacement string containing a question mark, followed by a second rewrite, if, or set directive. This pattern is common in production configs.
What to do
Update immediately. If you run NGINX Open Source, move to 1.30.1 or 1.31.0. NGINX Plus users need R32 P6 or R36 P4 at minimum. There is no workaround that keeps the functionality intact — the mitigation is either patching or replacing unnamed captures with named alternatives in your rewrite rules.
A public proof-of-concept is available on GitHub (DepthFirstDisclosures/Nginx-Rift), which means exploitation is not theoretical. Every unpatched server exposed to the internet is a live target.
NGINX is the most widely deployed web server globally. The scale of exposure here is significant. This is a patch-now situation, not a schedule-for-next-cycle one.
Source: NGINX Security Advisories