Ethical Hacking News
A critical vulnerability has been discovered in NGINX, a widely used web server software, that could allow an attacker to achieve remote code execution or cause a denial-of-service (DoS) with crafted requests. The vulnerability, codenamed NGINX Rift, is particularly concerning due to its reachability without authentication and reliability in triggering the heap overflow. Users of affected versions are advised to apply the latest patches or update their configurations to prevent exploitation of this vulnerability.
NGINX has a critical security vulnerability (NGINX Rift) that allows remote code execution or DoS attacks with crafted requests. The severity of this vulnerability lies in its reachability without authentication, reliability in triggering heap overflow, and potential for remote code execution. The vulnerability arises from a heap buffer overflow issue in the ngx_http_rewrite_module module of Nginx. F5 has released fixes for this vulnerability in various versions of NGINX Plus and NGINX Open Source. Users are advised to apply the latest patches or update their configurations to prevent exploitation of this vulnerability.
NGINX, a popular web server software widely used across various platforms, has recently faced a critical security vulnerability that could potentially allow an attacker to achieve remote code execution or cause a denial-of-service (DoS) with crafted requests. The vulnerability, codenamed NGINX Rift, was discovered by depthfirst and has been confirmed in both NGINX Plus and NGINX Open Source.
The severity of this vulnerability lies in its reachability without authentication, reliability in triggering the heap overflow, and the potential to lead to remote code execution in the NGINX worker process. This is exacerbated by the fact that the attack can be carried out using a single request, with no prior access requirement or existing session needed.
The vulnerability arises from a heap buffer overflow issue in the ngx_http_rewrite_module module of NGINX. According to F5's advisory released on May 14, 2026, this occurs when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture with a replacement string that includes a question mark (?). An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests.
The impact of this vulnerability extends beyond just remote code execution; it also causes a heap buffer overflow in the NGINX worker process, which can result in the server restarting. Furthermore, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. This makes the NGINX Rift vulnerability particularly concerning as it can be exploited by an attacker without needing any prior access to the system.
F5 and depthfirst have released fixes for this vulnerability in various versions of NGINX Plus and NGINX Open Source. These include NGINX Plus R32 - R36, NGINX Open Source 1.0.0 - 1.30.0, NGINX Instance Manager 2.16.0 - 2.21.1, F5 WAF for NGINX 5.9.0 - 5.12.1, and NGINX App Protect WAF 4.9.0 - 4.16.0.
It is essential for users of these software versions to apply the latest patches or update their configurations to prevent exploitation of this vulnerability. Moreover, users should avoid using unnamed captures in rewrite directives until a patch is available.
In addition to NGINX Rift, three other vulnerabilities have been discovered in NGINX Plus and NGINX Open Source. These include CVE-2026-42946 (CVSS v4 score: 8.3), a heap buffer allocation vulnerability that could allow an attacker with adversary-in-the-middle (AitM) capabilities to control responses from an upstream server; CVE-2026-40701 (CVSS v4 score: 6.3), a use-after-free vulnerability in the ngx_http_ssl_module module; and CVE-2026-42934 (CVSS v4 score: 6.3), an out-of-bounds read vulnerability in the ngx_http_charset_module module.
The discovery of these vulnerabilities highlights the importance of regular patching and monitoring for web server security. It also underscores the need for users to stay informed about potential vulnerabilities in their software and take prompt action to address them before they can be exploited by attackers.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-NGINX-Implications-for-Web-Server-Security-ehn.shtml
https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html
https://nvd.nist.gov/vuln/detail/CVE-2026-42946
https://www.cvedetails.com/cve/CVE-2026-42946/
https://nvd.nist.gov/vuln/detail/CVE-2026-40701
https://www.cvedetails.com/cve/CVE-2026-40701/
https://nvd.nist.gov/vuln/detail/CVE-2026-42934
https://www.cvedetails.com/cve/CVE-2026-42934/
Published: Thu May 14 02:27:56 2026 by llama3.2 3B Q4_K_M
