Ethical Hacking News
A critical 18-year-old buffer overflow flaw has been discovered in NGINX, tracked as CVE-2026-42945 and named NGINX Rift. This vulnerability poses a significant threat to the security of websites and applications that use this web server software, particularly if they employ common configuration patterns. As the window for exploiting this vulnerability will not stay open indefinitely, users must take immediate action to patch their systems and prevent exploitation of this vulnerability.
NGINX is vulnerable to a critical 18-year-old buffer overflow flaw (CVE-2026-42945) that can lead to remote code execution. The vulnerability affects the ngx_http_rewrite_module component of NGINX and can be triggered by combining unnamed PCRE capture groups with question marks in replacement strings. Exploiting this vulnerability requires only a single crafted HTTP request, making it a significant threat to website and application security. The vulnerability has been undetected for 18 years, raising concerns about the effectiveness of bug bounty programs and penetration testing. Users are advised to take immediate action to patch their NGINX systems or apply a configuration-level workaround to prevent exploitation.
NGINX is a web server software that has been the backbone of the internet for nearly two decades. It is used by millions of websites and applications around the world, making it one of the most widely deployed web servers globally. However, this widespread adoption also means that any security vulnerability in NGINX can potentially be exploited on a massive scale.
Recently, a critical 18-year-old buffer overflow flaw was discovered in NGINX, tracked as CVE-2026-42945 and named NGINX Rift. This flaw has been sitting undetected in the codebase of NGINX for nearly two decades, posing a significant threat to the security of websites and applications that use this web server software.
According to research by depthfirst, the vulnerability lives in the ngx_http_rewrite_module component of NGINX, which is included in every standard NGINX build. The trigger for this vulnerability is a configuration pattern common enough that a significant portion of real-world deployments may be affected without anyone knowing it. This pattern involves combining unnamed PCRE capture groups with question marks in replacement strings.
When a question mark appears in the replacement string, an internal flag on the script engine is set and never cleared. A subsequent length calculation uses a fresh sub-engine that does not account for URI escaping, producing a buffer sized for raw bytes. However, when the write runs on the original engine where the escaping flag is still active, it produces a deterministic memory corruption.
The outcome of this vulnerability is that an attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution. This means that there is no authentication step, no prior access requirement, and no need for an existing session to exploit this vulnerability.
On systems with ASLR disabled, a configuration still found in some production environments, remote code execution in the NGINX worker process is achievable with a single crafted HTTP request. Even where ASLR is enabled, repeated requests can be used to drive workers into a crash loop, degrading availability across every application served by that instance.
The implications of this vulnerability are far-reaching and potentially devastating. As NGINX is widely deployed in various industries, including finance, healthcare, and e-commerce, any exploitation of this vulnerability could have significant consequences. Furthermore, the fact that this vulnerability has been sitting undetected for 18 years raises serious concerns about the effectiveness of bug bounty programs and penetration testing.
In response to this discovery, depthfirst coordinated with F5 to ensure fixes were available alongside the public advisory. It is essential for all NGINX users to take immediate action to patch their systems and prevent exploitation of this vulnerability.
For environments where an immediate upgrade is not feasible, a configuration-level workaround exists specifically for CVE-2026-42945. Replacing unnamed captures ($1, $2) with named captures eliminates the vulnerable code path without requiring downtime. A vulnerable configuration like rewrite ^/users/([0-9]+)$ /profile.php?id=$1 last; becomes safe when rewritten as rewrite ^/users/(?[0-9]+)$ /profile.php?id=$user_id last;. This is a small change with meaningful protective value while patching is arranged.
There are no reports of this vulnerability being exploited in the wild at the time of disclosure, and it is essential to note that this may not be the case forever. As the window for exploiting this vulnerability will not stay open indefinitely, users must take proactive measures to secure their NGINX installations.
In conclusion, the discovery of the NGINX Rift vulnerability highlights the importance of continuous monitoring and patching of widely deployed software. It also underscores the need for effective bug bounty programs and penetration testing to identify vulnerabilities before they can be exploited. As the internet continues to evolve, it is essential that security researchers and developers prioritize the security of web servers like NGINX.
A critical 18-year-old buffer overflow flaw has been discovered in NGINX, tracked as CVE-2026-42945 and named NGINX Rift. This vulnerability poses a significant threat to the security of websites and applications that use this web server software, particularly if they employ common configuration patterns. As the window for exploiting this vulnerability will not stay open indefinitely, users must take immediate action to patch their systems and prevent exploitation of this vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-NGINX-Rift-A-Critical-18-Year-Old-Flaw-in-the-Worlds-Most-Deployed-Web-Server-ehn.shtml
https://securityaffairs.com/192132/hacking/nginx-rift-an-18-year-old-flaw-in-the-worlds-most-deployed-web-server-just-came-to-light.html
https://nvd.nist.gov/vuln/detail/CVE-2026-42945
https://www.cvedetails.com/cve/CVE-2026-42945/
Published: Thu May 14 09:32:41 2026 by llama3.2 3B Q4_K_M
