Raleigh News Today

collapse
Close menu
×
Home / Daily News Analysis / Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)

Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)

May 27, 2026  Twila Rosenbaum  10 views
Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)

A critical NGINX vulnerability tracked as CVE-2026-42945 and nicknamed “NGINX Rift” is now being actively exploited by attackers, just days after its disclosure and the release of a proof-of-concept exploit. The flaw, which affects both the open-source NGINX web server and the commercial NGINX Plus product, poses a serious risk to a significant portion of the internet's infrastructure.

NGINX is far more than just a web server; it is one of the most fundamental pieces of modern web infrastructure. Originally developed to solve the C10k problem—handling ten thousand concurrent connections—NGINX has grown to serve as a reverse proxy, load balancer, HTTP cache, and API gateway. Its event-driven, asynchronous architecture allows it to handle massive traffic with low memory consumption, making it the server of choice for high-traffic websites, streaming services, and cloud-native applications. According to W3Techs, NGINX powers over 30% of all websites, including many of the world's largest platforms. Its development and maintenance are overseen by F5, a networking and application delivery company that acquired NGINX in 2019.

Understanding CVE-2026-42945

The vulnerability resides in the ngx_http_rewrite_module, which handles URI rewriting and redirection. It is a memory corruption issue that arises from a discrepancy in how NGINX calculates buffer sizes for rewrite operations. Specifically, when a rewrite directive uses an unnamed regex capture (such as $1 or $2) and the replacement string contains a question mark, followed by another rewrite, if, or set directive, NGINX computes the destination buffer using one set of escaping assumptions but writes to it using another. This mismatch causes the write operation to exceed the allocated buffer, resulting in deterministic heap corruption. The bytes written past the allocation are directly derived from the attacker's URI, meaning the corruption is not random but shaped by the attacker. This allows for precise control over the memory layout of the NGINX worker process.

CVE-2026-42945 affects NGINX Open Source from version 0.6.27 through 1.30.0, and NGINX Plus from version R32 through R36. It also impacts several F5 products that incorporate NGINX, such as the NGINX Ingress Controller, F5 WAF for NGINX, and F5 DoS for NGINX. The vulnerability can be triggered by a remote, unauthenticated attacker by sending a specially crafted HTTP request to a vulnerable NGINX instance. This makes it particularly dangerous because no prior authentication or access is required.

Exploitation in the Wild

The vulnerability was discovered by researchers at Depthfirst using their AI-native vulnerability detection platform. Along with four other security issues, CVE-2026-42945 was reported to F5, which released fixes and a security advisory on May 13, 2026. Shortly after, Depthfirst published technical details and a proof-of-concept exploit. On May 16, just three days later, researchers at VulnCheck observed exploitation attempts on their canary systems. The attempts were designed to trigger a denial-of-service condition, which is achievable even on default NGINX configurations provided the server has the vulnerable rewrite pattern. However, both VulnCheck and security researcher Kevin Beaumont noted that achieving remote code execution requires an additional condition: the attacker must be able to disable address space layout randomization (ASLR) on the target server. While ASLR bypasses are not trivial, they are not impossible, and the deterministic nature of the heap corruption makes the vulnerability particularly attractive for advanced attackers.

According to VulnCheck's Initial Access team, a Censys query identified roughly 5.7 million internet-exposed NGINX servers running a potentially vulnerable version. However, the truly exploitable population is likely much smaller because the specific rewrite configuration must be present. Yet even a fraction of that number represents millions of potentially compromised systems, especially given that NGINX is often used in high-value environments such as e-commerce sites, banking portals, and enterprise applications.

Impact and Risk Assessment

The primary impact of CVE-2026-42945 is denial-of-service. An attacker can cause NGINX worker processes to crash repeatedly, leading to a crash loop that degrades or completely disables service for every site served by the instance. This can have cascading effects on dependent applications and services. The potential for remote code execution raises the stakes considerably, as it could allow attackers to gain persistent access to the server, move laterally within the network, and exfiltrate sensitive data. Given NGINX's role as a front-end server, code execution could also enable man-in-the-middle attacks, session hijacking, or injection of malicious content.

The severity of this vulnerability is underscored by its CVSS score, which is likely to be in the critical range (9.0 or higher) due to the network attack vector, low attack complexity, no privileges required, and potential for high impact on confidentiality, integrity, and availability. However, the exact CVSS score has not been officially published as of this writing.

Affected Versions and Fixes

F5 has released patches for all affected products. The fixed versions are:

  • NGINX Open Source: versions 1.31.0 and 1.30.1
  • NGINX Plus: versions R36 P4 and R32 P6
  • F5 WAF for NGINX: version 5.13.0
  • F5 DoS for NGINX: version 4.9.0

In addition to patching, F5 provided a mitigation that can be applied to existing configurations: using named captures instead of unnamed captures in rewrite definitions. For example, changing rewrite ^/(.)$ /index.php?$1 to rewrite ^/(?.)$ /index.php?$path avoids triggering the vulnerable code path. This workaround can be deployed immediately without waiting for a full version upgrade, which is especially useful for environments where downtime must be minimized.

Various Linux distributions have also started releasing patched nginx packages. AlmaLinux, Ubuntu, and Debian have all pushed updates to their repositories. Users of these distributions should update their nginx packages as soon as possible. For those using the official NGINX builds from nginx.org, the recommended approach is to upgrade to the latest release from the repository.

Broader Context of Web Server Vulnerabilities

This incident highlights a recurring pattern in software security: critical vulnerabilities in widely deployed infrastructure components are often discovered and exploited within days of disclosure. The speed of exploitation in this case—less than 72 hours after PoC publication—demonstrates the efficiency of modern threat actors and the importance of rapid patch management. It also underscores the value of vulnerability research that combines automated detection with deep code analysis. Depthfirst's use of AI to identify the flaw represents a growing trend in cybersecurity, where machine learning models are trained to detect subtle coding errors that human reviewers might miss.

History shows that vulnerabilities in web servers have long been a favorite target for attackers. From the Apache Struts vulnerabilities that led to the Equifax breach to the Heartbleed bug in OpenSSL, flaws in foundational internet software can have outsized consequences. NGINX's massive deployment means that even a vulnerability that only affects a subset of configurations can still impact millions of servers. The case of CVE-2026-42945 also serves as a reminder that default configurations are not always safe. While the vulnerable rewrite pattern is not enabled by default, many administrators add rewrite rules for SEO-friendly URLs, legacy redirects, or load balancing purposes without fully understanding the security implications.

Organizations that rely on NGINX should immediately check their configurations for the presence of rewrite directives using unnamed captures followed by a question mark and another directive. Tools such as Censys and Shodan can help identify vulnerable versions exposed to the internet, but internal audits are equally important. Security teams should prioritize patching for any NGINX instance that is internet-facing, and consider implementing the named capture workaround as a temporary measure.

The broader lesson for system administrators is to maintain an inventory of software versions and configurations, subscribe to vendor security advisories, and establish a rapid patching process. In this case, the window between disclosure and exploitation was extremely short, and any delay in applying updates could result in a compromise. As the digital landscape continues to evolve, the pressure on defenders to keep pace with attackers will only intensify.


Source: Help Net Security News


Share:

Related posts
Your experience on this site will be improved by allowing cookies Cookie Policy

These cookies are essential for the website to function properly.

These cookies help us understand how visitors interact with the website.

These cookies are used to deliver personalized advertisements.